# 3.0.0a2 / 2020-07-09
**General**
* Accept additional profile fields during registration (affiliation, website, country)
* This does not add additional inputs. Themes or additional JavaScript can add the form inputs.
**Admin Panel**
* Redesign the challenge creation form to use a radio button with challenge type selection instead of a select input
**API**
* Admins can no longer ban themselves through `PATCH /api/v1/users/[user_id]`
**Themes**
* Spinner centering has been switched from a hard coded margin in CSS to flexbox CSS classes from Bootstrap
**Plugins**
* Revert plugin menu (`register_admin_plugin_menu_bar`, `register_user_page_menu_bar`) changes to 2.x code
**Miscellaneous**
* Fix issue with `Configs.ctf_name` returning incorrect value
* Add prerender step back into challenges.js
* Better handling of missing challenge types. Missing challenge types no longer bring down all other challenges.
Alpha release of CTFd v3.
# 3.0.0a1 / 2020-07-01
**General**
- CTFd is now Python 3 only
- Render markdown with the CommonMark spec provided by `cmarkgfm`
- Render markdown stripped of any malicious JavaScript or HTML.
- This is a significant change from previous versions of CTFd where any HTML content from an admin was considered safe.
- Inject `Config`, `User`, `Team`, `Session`, and `Plugin` globals into Jinja
- User sessions no longer store any user-specific attributes.
- Sessions only store the user's ID, CSRF nonce, and an hmac of the user's password
- This allows for session invalidation on password changes
- The user facing side of CTFd now has user and team searching
- GeoIP support now available for converting IP addresses to guessed countries
**Admin Panel**
- Use EasyMDE as an improved description/text editor for Markdown enabled fields.
- Media Library button now integrated into EasyMDE enabled fields
- VueJS now used as the underlying implementation for the Media Library
- Fix setting theme color in Admin Panel
- Green outline border has been removed from the Admin Panel
**API**
- Significant overhauls in API documentation provided by Swagger UI and Swagger json
- Make almost all API endpoints provide filtering and searching capabilities
- Change `GET /api/v1/config/<config_key>` to return structured data according to ConfigSchema
**Themes**
- Themes now have access to the `Configs` global which provides wrapped access to `get_config`.
- For example, `{{ Configs.ctf_name }}` instead of `get_ctf_name()` or `get_config('ctf_name')`
- Themes must now specify a `challenge.html` which control how a challenge should look.
- The main library for charts has been changed from Plotly to Apache ECharts.
- Forms have been moved into wtforms for easier form rendering inside of Jinja.
- From Jinja you can access forms via the Forms global i.e. `{{ Forms }}`
- This allows theme developers to more easily re-use a form without having to copy-paste HTML.
- Themes can now provide a theme settings JSON blob which can be injected into the theme with `{{ Configs.theme_settings }}`
- Core theme now includes the challenge ID in location hash identifiers to always refer the right challenge despite duplicate names
**Plugins**
- Challenge plugins have changed in structure to better allow integration with themes and prevent obtrusive Javascript/XSS.
- Challenge rendering now uses `challenge.html` from the provided theme.
- Accessing the challenge view content is now provided by `/api/v1/challenges/<challenge_id>` in the `view` section. This allows for HTML to be properly sanitized and rendered by the server allowing CTFd to remove client side Jinja rendering.
- `challenge.html` now specifies what's required and what's rendered by the theme. This allows the challenge plugin to avoid having to deal with aspects of the challenge besides the description and input.
- A more complete migration guide will be provided when CTFd v3 leaves beta
- Display current attempt count in challenge view when max attempts is enabled
- `get_standings()`, `get_team_stanadings()`, `get_user_standings()` now has a fields keyword argument that allows for specificying additional fields that SQLAlchemy should return when building the response set.
- Useful for gathering additional data when building scoreboard pages
- Flags can now control the message that is shown to the user by raising `FlagException`
- Fix `override_template()` functionality
**Deployment**
- Enable SQLAlchemy's `pool_pre_ping` by default to reduce the likelihood of database connection issues
- Mailgun email settings are now deprecated. Admins should move to SMTP email settings instead.
- Postgres is now considered a second class citizen in CTFd. It is tested against but not a main database backend. If you use Postgres, you are entirely on your own with regards to supporting CTFd.
- Docker image now uses Debian instead of Alpine. See https://github.com/CTFd/CTFd/issues/1215 for rationale.
- `docker-compose.yml` now uses a non-root user to connect to MySQL/MariaDB
- `config.py` should no longer be editting for configuration, instead edit `config.ini` or the environment variables in `docker-compose.yml`
2.3.0 / 2020-02-17
==================
**General**
* During setup, admins can register their email address with the CTFd LLC newsletter for news and updates
* Fix editting hints from the admin panel
* Allow admins to insert HTML code directly into the header and footer (end of body tag) of pages. This replaces and supercedes the custom CSS feature.
* The `views.custom_css` route has been removed.
* Admins can now customize the content of outgoing emails and inject certain variables into email content.
* The `manage.py` script can now manipulate the CTFd Configs table via the `get_config` and `set_config` commands. (e.g. `python manage.py get_config ctf_theme` and `python manage.py set_config ctf_theme core`)
**Themes**
* Themes should now reference the `theme_header` and `theme_footer` configs instead of the `views.custom_css` endpoint to allow for user customizations. See the `base.html` file of the core theme.
**Plugins**
* Make `ezq` functions available to `CTFd.js` under `CTFd.ui.ezq`
**Miscellaneous**
* Python imports sorted with `isort` and import order enforced
* Black formatter running on a majority of Python code
* Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/**/*'`
* Format Python with `black`: `black CTFd` & `black tests`
* Travis now uses xenial instead of trusty.
* Fix user and admin panel user/team graphs
* Closes#682
* Unify login and logout under specific functions
* Closes#659
* Rename Challenges.hidden to Challenges.state
* Start to clean up API and front end integration starting with profile updating
* Slightly cleaner code
* Clean API to respond with success, data, and status codes
* Simpler COUNTRIES_LIST and update profile to use COUNTRIES_LIST
* Lookup country code in users page. Update front end calls to get API data properly
* Fix some API endpoints and fix JS to process new responses
* Update config.py to support new values
* Closes#635
* Update some code to handle user types, add email domain whitelisting
* Write a logging wrapper
* Use logging wrapper for submissions
* Close#656
* Break up config.html to make it easier to maintain
* Fix logging, domain_whitelist, and config
* Improving views.py, starting to add Announcements
* Starting announcements front end
* Make it easier to see large images, clean up some more REST API differences
* Closes#668
* Update Proxyfix config to REVERSE_PROXY
* Add announcements front end
* Move creation/edit modals into seperate files. Start moving user updating into their admin profile pages.
* Update font-awesome to 5.4.1
* Switch to user-edit icon
* Update the update_check function to send up more anonymous data for statistics purposes.
* Start work on #640
* Add the user action modals and update API to fix responses
* Fix admin teams page
* Add challenge requirements
* Implement anonymous locked challenges
* Team editting from admin panel
* Switch from simple cache to filesystem cache
* Implements a Cache backed server side session (#658) and fixes Users editting endpoint
* Add our messaging for docs
* Closes#700
* Remove invalid import
* Move challenge enditting around a whole lot and probably break a bunch of things
* Show challenge names in prerequisites instead of challenge IDs
* Closes#661
* Change user templates to use url_for
* Remove extra function
* Rewrite admin panel to use url_for
* Fix events to work under subdirectories
* Start cleaning up config panel
* Fix filesystem uploader; deprecate view_challenges_unregistered, view_scoreboard_if_authed, prevent_registration, view_after_ctf; implement new visibility decorators
* Remove workshop mode, fix some glitches with the new visibility settings
* Fix ctf_logo on core theme
* Fix setup errors
* Removing default from get_config b/c of memoization issues and getting some tests working
* Relax email regex validation rule (#693)
* Update to pycodestyle and fix new lint errors
* Add a ctf_id to update_check
* Change challenge plugin layout. Rename mailgun configs to be more descriptive (Closes#702)
* Detect if people try to set routes with '/' to simplify #690
* Closes#690
* Clean up some code
* Clean up challenge submit to rate limit
* Fix js version compatability issue
* Close some TODOs
* Hide challenges if not authenticated
* Make set_config reset the cache for those config values
* Return 404 on empty challenges for /api/v1/<challenge_id>/solves
* Fix setting boolean configs
* Properly change account config settings
* Move datetimes to isoformat (Closes#703)
* Remove all .isoformat() calls because it isn't UTC aware (ends in Z). Switch to isoformat function & filter
* Make /v1/submissions endpoint work for admin submission creation
* Make oauth_id unique for Users and Teams
* Move challenge submission endpoint and implement mark solved. Fix some isoformat issues.
* Only show team's missing challenges if in team mode
* Adding support for Hints & Unlocks
* Update challenge submission url
* Fix encoding functions in Python3
* Fix hexencode in Python3
* Added functional tests for challenges API for non-admin users (#705)
* Set hint default type to be standard
* Fix some JS issues. Closes#704
* Implement session.regenerate on top of the CachingSessionInterface
* Challenge challenge attempt responses from numbers to strings
* Fix password updating for UserSchema
* Remove leftover challenge submission code
* Remove old migrations :(, resolve challenge requirements not loading correctly, move migration functions
* Added functional tests for challenges/hints/admin API (#710)
* Fix helpers and re-add JSONLite
* Install MySQL 5.7
* Try more mysql
* Update password for mysql
* Fixing issuse in Users.get_solves
* Add new import/export code
* Switch to CTFdSerializer for Python 3
* Re-implement import exports and add a very flaky test
* Redesign submissions API response
* Get export to roundtrip in tests
* Int score b/c Decimal is not JSON serializeable
* Remove unused route methods
* Fix POST /api/v1/configs and start adding admin tests
* Add user_id and team_id to top/10
* Fix admin creating Teams
* Fix Team website validation
* Change admins_only to reply with a 403 if the request is JSON
* Organize admin tests and fix authed_only to return 403 on unauthed
* Adding check_account_visibility, check_score_visibility for /api/v1/teams/<team_id>/(solves|awards|fails)
* Fix teams/me endpoints again
* Fix users/me endpoints to return 403 if unauthed
* Fix Python 3 config API
* Add fetch and promise polyfills. (#712)
* Add exec to docker-entrypoint.sh (#713)
* Display import_ctf Exceptions via repr (#651)
- Wraps exceptions on `/admin/import` returned to users in a `repr()`, making debugging easier.
* Add error messages to the admin panel, fix schemas for users, start working on UI for imports/exports
* Make unauthed challenge submission attempt return 403 instead of 302, Fix user deletion, fix associated tests, remove TODOs
* Remove old means of creating solves
* Remove most of the content from teams.js and users.js
* Remove extra code from /challenges.js
* Fix POST'ing & PATCH'ing pages
* Make (users|teams)/fails return only count to users. Fix public score graphs to factor in awards
* Fix admin side scoregraphs. Fix Awardschemas for admins
* Add requirements to db migration
* Adding some team decorators
* Fix require_team_mode decorator
* Make verified emails decorator return 403 on JSON requests
* Redo initial revision
* Add SQLiteJSON back
* Adding ratelimit to /redirect and removing POST from /oauth
* Fix PATCH tags
* Actually fix PATCH tags
* Simplify 500.html
* Added tests for challenges, awards, files, flags, hints ... (#723)
* Added tests for challenges, awards, files, flags, hints, notifications, pages, submissions, tags
* Fix user data validation functions, Fix hidden challenges and include test
* Add a locked state to attempt
* OAuth teams get verified, use logging functions in redirect route
* Removing extra print call
* Update requirements.txt
* Fix possible AttributeError
* Start work on #716
* Closes#717
* Fix issue patching teams
* Rename .j2 to .html, implement preview for challenges if admin
* Move admin/challenge.html to admin/challenges/challenge.html
* Remove old modals
* Add Reset CTF button (#639)
* Add Reset link to config.html
* Delete Tracking
* files handler should return a 404 on files it cant find
* Denote official teams (#729), make scoregraph fill to zero
* Remove old javascript files, make some challenge elements refresh by reloading
* Fix team editting modals to work more reliably
* Fix rendering of CTF paused
* Remove hide_scores funtion and roll it into scores visibility
* Log to stdout/stderr by default (#719)
* Fix user searching
* Remove searching for users/teams by country
* Add badges to admin team and user pages, implement user banning (#643)
* Remove shell.py, clean up admin team.html, add tests for banned users, teams
* Start cleaning up dynamic_challenges to meet new challenge type plugin format
* Remove POST method from teams.public
* Add credentials: 'same-origin' to all fetch calls (#734)
* Add challenge preview, add challenge deletion, fix file deletions when deleting challenges
* Fix imports UI (#735)
* Show prerequisites before adding a blank one (#738), Refresh all challenges after a submission (#739)
* Admins can see hidden challenges
* Fix some UI elements, fix loading location hash, set version to be 2.0.0
* Clean up some challenge plugin pages
* Add default for flag type
* Fix Python3 bytes/str issues
* Add in MLC urls and support user mode for oauth
* Fix seeing user graphs when scores are hidden, clean up setup.html, add links to MLC oauth
* Add state parameter support
* Use URLSafeTimedSerializer wrapper for sending token based emails
* setting APPLICATION_ROOT from env var (#732)
* Rearrange config.py and update README
* Updating README
* Changing to a new plugin oriented challenge type plugin and fixing extra width on admin chal description
* Add window.challenge.submit, renderSubmissionResponse, and csrf_nonce
* Update admin side renderer calls
* Updating to Flask 1.0 and adding files for flask run
* Adding a preliminary case-insensitive key
* Adding case insensitive keys
* Adding CTF Logo
* Reducing the amount of team information shown on the main page
* Add better base64 helpers
* Switch from button to badge
* Rudimentary solve checking from admin panel
* Refine admin chals solves view & fix PEP8
* Compare base64 encoded data with bytestring
* Removing need to urlencode/urldecode in base64 wrappers
* Adding decorator documentation
* Randomly order tests & add test for case_insensitive flags
* Add regex flag case_insensitive test
* Add tests for /admin/chal/1/solves and ctf_logo
* Upgrade to Bootstrap v4 beta 3
* Fix incorrect FontAwesome5 icon
* Fixing regressions & code quality issues. Files, Tags & Hints now appear in the admin challenge preview. Fixed color issues with file buttons and badges. Pass script_root into challenge type plugin.
* Fixing incorrect FontAwesome5 icon
* Fix test for /admin/chals/<chalid>
* Expand test to include tags, hints, files
* Bootstrap v4 (#490)
* Upgrading original theme to use Bootstrap v4 and overall improve use of utility classes
* Fixing graph issues. Colors per team & cleaner hover
* The solves tab now shows relative time instead of absolute time
* Redesign admin theme
* Updating modals and changing form name from desc to description
* Moving CSS config from Pages to Config page
* Adding IP address count to statistics
* Move control of certain modals (files, flags, tags, hints) to challenges page
* Expanding size of config page
* Combining statistics and graphs pages
* Moving percentage solved to the statistics page instead of the admin challenges page
* Rename Keys.key_type to Keys.type (#459) (#478)
* Rename keys.key_type to keys.type (#459)
* Fixing previous migration to not be worried about key_type v type
* Fixing loading of challenge type plugins
* Switching from Handlebars to Nunjucks (#491)
* Switching from Handlebars to Nunjucks
* Allow admins to unlock hints before CTF begins and test that this is not allowed for regular users
* Authed only (#492)
* Adding authed_only decorator and adding next to url_for
* Adding a basic preview to hints (#494)
* Hints have a preview now for creating and updating hints. HTML and markdown are still allowed.
* Ezq (#495)
* Adding ezq as a simple wrapper around bootstrap modals
* Use tabs not spaces and remove gray background on inputs
* Adding title & draft to Pages. Making page preview open a new tab (#497)
* Adding title & draft to Pages.
* Making page preview open a new tab instead of render in the existing tab
* Draft pages cannot be seen without a preview
* Update check (#499)
* Add update_check function
* Notify user that a CTFd update is available in the admin panel
* Adding update_check tests
* Ratelimit (#500)
* Implementing a ratelimit function
* Fix error page formatting
* Add rate limiting tests
* Rate limit authentication functions and rate limit admin send email function
* Load user solves before we load challenges to avoid unstyled buttons (#502)
* Add a challenge preview (#503)
* Adding a challenge preview to the admin panel
* Change /admin/chals/<int:chalid> to /admin/chal/<int:chalid>
* Adding codecov (#504)
* Test coverage at https://codecov.io/gh/CTFd/CTFd
* Sendmail improvements (#505)
* Add get_smtp timeout, add sendmail error messages
* Adding more error handling to sendmail
* Adding Flask-Script (#507)
* Pause ctf (#508)
* Implement CTF pausing
* Test CTF pausing
* Fix loading challenges for users (#510)
* Fix loading challenges for users
* Temporarily switch themes in test
* Pause help text (#509)
* Adding pause help text
* Pages authed (#511)
* Adding authentication options to pages
* Adding tests for accessing pages while draft & auth_required
* Merging master into 1.1 (#513)
* Name the core theme and remove the original theme
* Allows Challenges to have custom tables which allow them to have custom behavior
* Adding create, update, delete staticmethods giving Challenge Types a static interface to implement
* Adopting a challenge type layout from deckar01
* Move standard challenge modals into the plugin
* Migration to change challenge type id to a string
* Travis testing now builds with MySQL, SQLite, and Postgres
* Rework get_standings to use the row ID instead of the saved time because of differences in database time precision
* challenge update modal is now replaceable
By defining
* [type]-challenge-update.hbs
* [type]-challenge-modals.hbs
* [type]-challenge-update.js
in the /static/admin/js/templates/challenges/[type] folder the
challenge update modal will be defined for any challenges of
the given type. This allows for essentially full customizability
of how you will edit custom challenge types in the admin UI.
The reason for having two files, *update.hbs and *modals.hbs, is
that *update.hbs defines the body for the main challenge update
modal, while *modals.hbs defines any additional modals which will be
used within the main modal
There is one function which is required in *update.js is
`openchal(id)` which will be passed the id of the challenge to be
edited and should open the modal as well as load any needed data
* fixed multi-modal issues
Issues were coming from two sources:
* I had placed the modals in an indirect relationship in the DOM
tree. They need to be siblings I now see
* There was double counting of modals within multi-modal.js. This
only started to appear with the dynamically loaded modals. I
fixed the script to accurately count modals each time
* Switching to Flask-Migrate to create tables/database. Adding Hints & Unlocks.
* Adding db.create_all call for sqlite db's (sqlite is not properly handled with alembic yet)
* Python 3 testing works properly with 3.5
* Adding admin side of hints
* Hints are viewable for users
* Extracting key checking logic to make it more extensible
* Add missing keys __init__ file
* Adding logging access and errors to Dockerfile
* Use template inheritance for page.html (#198)
* Fix exception on cofirmation screen (#202)
When a user attempts to confirm an e-mail address, an exception is thrown because the db session is closed prior to logging.
The line db.session.close() has to move after the logging, otherwise the team parameters from the orm object are discarded and an exception is thrown.
Closing the session after logging, fixes the issue.
* Adding custom key types for challenges
* Separating out admin.py, adding challenge types
* Don't let truncate affect edit modal
* File uploads no longer refresh page (#207)
Closes (#180)
* Fixing missing import
* Fixing mistake in flag JSON response
* Removing compare_digest to support Python 2.7.6
* Fixing inconsistencies in standard challenge modal
* Passing submission input over to template js
* Handling cases where data can't be found in the DOM better
* Don't refresh modal if it's just a refresh operation
* Fixing solving challenges while scoreboard is public
Induce a redirect to make user login
* Adding missing js file and fixing migration
* Fixing some visual glitches and streamlining challenge creation
* Fixed hard coded upload directory (#206)
* Extracting key checking logic to make it more extensible
* Add missing keys __init__ file
* Adding logging access and errors to Dockerfile
* Use template inheritance for page.html (#198)
* Fix exception on cofirmation screen (#202)
When a user attempts to confirm an e-mail address, an exception is thrown because the db session is closed prior to logging.
The line db.session.close() has to move after the logging, otherwise the team parameters from the orm object are discarded and an exception is thrown.
Closing the session after logging, fixes the issue.
* Adding custom key types for challenges
* Separating out admin.py, adding challenge types
* Don't let truncate affect edit modal
* File uploads no longer refresh page (#207)
Closes (#180)
* Fixing missing import
* Fixing mistake in flag JSON response
* Removing compare_digest to support Python 2.7.6
* Fixing inconsistencies in standard challenge modal
* Passing submission input over to template js
* Handling cases where data can't be found in the DOM better
* Don't refresh modal if it's just a refresh operation
* Fixing solving challenges while scoreboard is public
Induce a redirect to make user login
* Adding missing js file and fixing migration
* Fixing some visual glitches and streamlining challenge creation
