aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-18 22:44:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix downloading files as an anonymous user. (#792)

Browse Source 
* Fix downloading files as an anonymous user. 
* Fix viewing challenges anonymously if they have empty requirements. Closes #789
* Allow anonymous users to see see challenges with empty requirements or anonymized challenges
This commit is contained in:
Kevin Chung
2018-12-07 23:37:30 -05:00
committed by GitHub
parent 760a8add03
commit e4fd1c47dd
3 changed files with 53 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
CTFd/api/v1/challenges.py
View File

@@ -27,7 +27,7 @@ from CTFd.utils.decorators.visibility import (
) )
from CTFd.cache import cache, clear_standings from CTFd.cache import cache, clear_standings
from CTFd.utils.scores import get_standings from CTFd.utils.scores import get_standings
from CTFd.utils.config.visibility import scores_visible, accounts_visible from CTFd.utils.config.visibility import scores_visible, accounts_visible, challenges_visible
from CTFd.utils.user import get_current_user, is_admin, authed from CTFd.utils.user import get_current_user, is_admin, authed
from CTFd.utils.modes import get_model from CTFd.utils.modes import get_model
from CTFd.schemas.tags import TagSchema from CTFd.schemas.tags import TagSchema
@@ -72,10 +72,10 @@ class ChallengeList(Resource):
response = [] response = []
tag_schema = TagSchema(view='user', many=True) tag_schema = TagSchema(view='user', many=True)
for challenge in challenges: for challenge in challenges:
requirements = challenge.requirements if challenge.requirements:
if requirements: requirements = challenge.requirements.get('prerequisites', [])
prereqs = set(requirements.get('prerequisites', [])) anonymize = challenge.requirements.get('anonymize')
anonymize = requirements.get('anonymize') prereqs = set(requirements)
if solve_ids >= prereqs: if solve_ids >= prereqs:
pass pass
else: else:
@@ -160,19 +160,22 @@ class Challenge(Resource):
chal_class = get_chal_class(chal.type) chal_class = get_chal_class(chal.type)
requirements = chal.requirements if chal.requirements:
if requirements: requirements = chal.requirements.get('prerequisites', [])
if current_user.authed(): anonymize = chal.requirements.get('anonymize')
if challenges_visible():
user = get_current_user() user = get_current_user()
if user:
solve_ids = Solves.query \ solve_ids = Solves.query \
.with_entities(Solves.challenge_id) \ .with_entities(Solves.challenge_id) \
.filter_by(account_id=user.account_id) \ .filter_by(account_id=user.account_id) \
.order_by(Solves.challenge_id.asc()) \ .order_by(Solves.challenge_id.asc()) \
.all() .all()
else:
# We need to handle the case where a user is viewing challenges anonymously
solve_ids = []
solve_ids = set([value for value, in solve_ids]) solve_ids = set([value for value, in solve_ids])
prereqs = set(requirements)
prereqs = set(requirements.get('prerequisites', []))
anonymize = requirements.get('anonymize')
if solve_ids >= prereqs or is_admin(): if solve_ids >= prereqs or is_admin():
pass pass
else: else:
@@ -313,16 +316,15 @@ class ChallengeAttempt(Resource):
if challenge.state == 'locked': if challenge.state == 'locked':
abort(403) abort(403)
requirements = challenge.requirements if challenge.requirements:
if requirements: requirements = challenge.requirements.get('prerequisites', [])
solve_ids = Solves.query \ solve_ids = Solves.query \
.with_entities(Solves.challenge_id) \ .with_entities(Solves.challenge_id) \
.filter_by(account_id=user.account_id) \ .filter_by(account_id=user.account_id) \
.order_by(Solves.challenge_id.asc()) \ .order_by(Solves.challenge_id.asc()) \
.all() .all()
solve_ids = set([solve_id for solve_id, in solve_ids]) solve_ids = set([solve_id for solve_id, in solve_ids])
prereqs = set(requirements)
prereqs = set(requirements.get('prerequisites', []))
if solve_ids >= prereqs: if solve_ids >= prereqs:
pass pass
else: else:

3
CTFd/views.py
View File

@@ -9,6 +9,7 @@ from CTFd.utils.user import authed, get_current_user
from CTFd.utils import config from CTFd.utils import config
from CTFd.utils.uploads import get_uploader from CTFd.utils.uploads import get_uploader
from CTFd.utils.config.pages import get_page from CTFd.utils.config.pages import get_page
from CTFd.utils.config.visibility import challenges_visible
from CTFd.utils.security.auth import login_user from CTFd.utils.security.auth import login_user
from CTFd.utils.security.csrf import generate_nonce from CTFd.utils.security.csrf import generate_nonce
from CTFd.utils import user as current_user from CTFd.utils import user as current_user
@@ -188,7 +189,7 @@ def files(path):
""" """
f = Files.query.filter_by(location=path).first_or_404() f = Files.query.filter_by(location=path).first_or_404()
if f.type == 'challenge': if f.type == 'challenge':
if current_user.authed(): if challenges_visible():
if current_user.is_admin() is False: if current_user.is_admin() is False:
if not ctftime(): if not ctftime():
abort(403) abort(403)

21
tests/users/test_views.py
View File

@@ -171,14 +171,23 @@ def test_user_can_access_files():
f = gen_file(app.db, location=model_path, challenge_id=chal_id) f = gen_file(app.db, location=model_path, challenge_id=chal_id)
url = url_for('views.files', path=model_path) url = url_for('views.files', path=model_path)
# Unauthed user should return 403 # Unauthed user should be able to see challenges if challenges are public
set_config('challenge_visibility', 'public')
with app.test_client() as client:
r = client.get(url)
assert r.status_code == 200
assert r.get_data(as_text=True) == 'testing file load'
# Unauthed user should be able to see challenges if challenges are private
set_config('challenge_visibility', 'private')
with app.test_client() as client: with app.test_client() as client:
r = client.get(url) r = client.get(url)
assert r.status_code == 403 assert r.status_code == 403
assert r.get_data(as_text=True) != 'testing file load' assert r.get_data(as_text=True) != 'testing file load'
# Authed user should be able to see the files # Authed user should be able to see files if challenges are private
register_user(app) register_user(app)
client = login_as_user(app) client = login_as_user(app)
r = client.get(url) r = client.get(url)
@@ -187,6 +196,14 @@ def test_user_can_access_files():
with freeze_time("2017-10-7"): with freeze_time("2017-10-7"):
set_config('end', '1507262400') # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST set_config('end', '1507262400') # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
for v in ('public', 'private'):
set_config('challenge_visibility', v)
# Unauthed users shouldn't be able to see files if the CTF hasn't started
client = app.test_client()
r = client.get(url)
assert r.status_code == 403
assert r.get_data(as_text=True) != 'testing file load'
# Authed users shouldn't be able to see files if the CTF hasn't started # Authed users shouldn't be able to see files if the CTF hasn't started
client = login_as_user(app) client = login_as_user(app)