make require_team abort 404 when not in team mode (#2120)

* Closes #2119

CTFd/api/v1/teams.py

@@ -18,6 +18,7 @@ from CTFd.schemas.submissions import SubmissionSchema
 from CTFd.schemas.teams import TeamSchema
 from CTFd.utils import get_config
 from CTFd.utils.decorators import admins_only, authed_only, require_team
+from CTFd.utils.decorators.modes import require_team_mode
 from CTFd.utils.decorators.visibility import (
     check_account_visibility,
     check_score_visibility,
@@ -50,6 +51,8 @@ teams_namespace.schema_model(
 
 @teams_namespace.route("")
 class TeamList(Resource):
+    method_decorators = [require_team_mode]
+
     @check_account_visibility
     @teams_namespace.doc(
         description="Endpoint to get Team objects in bulk",
@@ -159,6 +162,8 @@ class TeamList(Resource):
 @teams_namespace.route("/<int:team_id>")
 @teams_namespace.param("team_id", "Team ID")
 class TeamPublic(Resource):
+    method_decorators = [require_team_mode]
+
     @check_account_visibility
     @teams_namespace.doc(
         description="Endpoint to get a specific Team object",
@@ -247,6 +252,8 @@ class TeamPublic(Resource):
 @teams_namespace.route("/me")
 @teams_namespace.param("team_id", "Current Team")
 class TeamPrivate(Resource):
+    method_decorators = [require_team_mode]
+
     @authed_only
     @require_team
     @teams_namespace.doc(
@@ -376,6 +383,8 @@ class TeamPrivate(Resource):
 
 @teams_namespace.route("/me/members")
 class TeamPrivateMembers(Resource):
+    method_decorators = [require_team_mode]
+
     @authed_only
     @require_team
     def post(self):
@@ -397,6 +406,8 @@ class TeamPrivateMembers(Resource):
 @teams_namespace.route("/<team_id>/members")
 @teams_namespace.param("team_id", "Team ID")
 class TeamMembers(Resource):
+    method_decorators = [require_team_mode]
+
     @admins_only
     def get(self, team_id):
         team = Teams.query.filter_by(id=team_id).first_or_404()
@@ -485,6 +496,8 @@ class TeamMembers(Resource):
 
 @teams_namespace.route("/me/solves")
 class TeamPrivateSolves(Resource):
+    method_decorators = [require_team_mode]
+
     @authed_only
     @require_team
     def get(self):
@@ -504,6 +517,8 @@ class TeamPrivateSolves(Resource):
 
 @teams_namespace.route("/me/fails")
 class TeamPrivateFails(Resource):
+    method_decorators = [require_team_mode]
+
     @authed_only
     @require_team
     def get(self):
@@ -532,6 +547,8 @@ class TeamPrivateFails(Resource):
 
 @teams_namespace.route("/me/awards")
 class TeamPrivateAwards(Resource):
+    method_decorators = [require_team_mode]
+
     @authed_only
     @require_team
     def get(self):
@@ -551,6 +568,8 @@ class TeamPrivateAwards(Resource):
 @teams_namespace.route("/<team_id>/solves")
 @teams_namespace.param("team_id", "Team ID")
 class TeamPublicSolves(Resource):
+    method_decorators = [require_team_mode]
+
     @check_account_visibility
     @check_score_visibility
     def get(self, team_id):
@@ -574,6 +593,8 @@ class TeamPublicSolves(Resource):
 @teams_namespace.route("/<team_id>/fails")
 @teams_namespace.param("team_id", "Team ID")
 class TeamPublicFails(Resource):
+    method_decorators = [require_team_mode]
+
     @check_account_visibility
     @check_score_visibility
     def get(self, team_id):
@@ -606,6 +627,8 @@ class TeamPublicFails(Resource):
 @teams_namespace.route("/<team_id>/awards")
 @teams_namespace.param("team_id", "Team ID")
 class TeamPublicAwards(Resource):
+    method_decorators = [require_team_mode]
+
     @check_account_visibility
     @check_score_visibility
     def get(self, team_id):

CTFd/utils/decorators/__init__.py

@@ -151,6 +151,8 @@ def require_team(f):
                 else:
                     return redirect(url_for("teams.private", next=request.full_path))
             return f(*args, **kwargs)
+        else:
+            abort(404)
 
     return require_team_wrapper