* Add a section in the config panel to configure html sanitization
* `HTML_SANITIZTION` in config.ini can still force sanitization regardless of the database configuration
* Closes#2194
# 3.5.2 / 2023-05-01
**General**
- Generate cachable S3 URLs by rounding time down to the previous hour to generate a consistent URL
- Change email whitelist error message to not include the list of allowed domains
- Clean up the language for confirming the password on team password change
- Fix issue where dynamic challenges break if the decay is 0 and prevent users from adding a decay limit of 0 to dynamic value challenges
**Admin Panel**
- Adds support for admins to control `robots.txt`
- Clean up the aesthetics for the 'Pause CTF' and 'View After CTF' configs
- Replaced TLS and SSL checkbox text to match the defaults used by Mozilla Thunderbird to eliminate confusion when configuring SMTP
**Deployment**
- Slim down Docker image by removing several dependencies not needed for production usage
- The image size has been reduced from 648MB to 398MB
- In the Docker image run CTFd in a virtual environment located at `/opt/venv`
- Add freezegun to application dependencies
- Bump dependencies for pybluemonday, redis, SQLAlchemy-Utils, python-geoacumen-city
- Fix race conditions on cache healthcheck
- Fix situations where numeric config items in config.ini could cause CTFd to not start
* Bump down SQLAlchemy-Utils to version 0.41.0
* Update development dependencies
---------
Signed-off-by: Bendik Dyrli <skandix@datapor.no>
Co-authored-by: Kevin Chung <kchung@ctfd.io>
* TLS/SSL Labels to Match Thunderbird
Replaced TLS and SSL checkbox text to match the
defaults used by Mozilla Thunderbird to eliminate confusion when
configuring SMTP
* Add link to email server documentation
* Properly save changes
---------
Co-authored-by: Kevin Chung <kchung@ctfd.io>
In a high availability deployment scenario, two clients may make a request on /healthcheck at the exact same time, which can lead to check_config returning False if the second requests changes the 'healthcheck' cache key before the first one has had time to fetch the value it had set.
A solution to counter this is to ensure different keys are used for each healthcheck.
* In some cases with numeric config items it appears that we can end up processing a string twice. This issue fixes it so that we only process the strings once at configparser load time with `before_get`
Separate docker build into two stagesto discard several binaries, builder, compiler and dev dependencies not needed for production usage. Run CTFd in a venv in `/opt/venv`. Reduce the image size from 648MB to 398MB.
Co-authored-by: Kevin Chung <kchung@ctfd.io>
# 3.5.1 / 2023-01-23
**General**
- The public scoreboard page is no longer shown to users if account visibility is disabled
- Teams created by admins using the normal team creation flow are now hidden by default
- Redirect users to the team creation page if they access a certain pages before the CTF starts
- Added a notice on the Challenges page to remind Admins if they are in Admins Only mode
- Fixed an issue where users couldn't login to their team even though they were already on the team
- Fixed an issue with scoreboard tie breaking when an award results in a tie
- Fixed the order of solves, fails, and awards to always be in chronological ordering (latest first).
- Fixed an issue where certain custom fields could not be submitted
**Admin Panel**
- Improved the rendering of Admin Panel tables on mobile devices
- Clarified the behavior of Score Visibility with respect to Account Visibility in the Admin Panel help text
- Added user id and user email fields to the user mode scoreboard CSV export
- Add CSV export for `teams+members+fields` which is teams with Custom Field entries and their team members with Custom Field entries
- The import process will now catch all exceptions in the import process to report them in the Admin Panel
- Fixed issue where `field_entries` could not be imported under MariaDB
- Fixed issue where `config` entries sometimes would be recreated for some reason causing an import to fail
- Fixed issue with Firefox caching checkboxes by adding `autocomplete='off'` to Admin Panel pages
- Fixed issue where Next selection for a challenge wouldn't always load in Admin Panel
**API**
- Improve response time of `/api/v1/challenges` and `/api/v1/challenges/[challenge_id]/solves` by caching the solve count data for users and challenges
- Add `HEAD /api/v1/notifications` to get a count of notifications that have happened.
- This also includes a `since_id` parameter to allow for a notification cursor.
- Unread notification count can now be tracked by themes that track which notifications a user has read
- Add `since_id` to `GET /api/v1/notifications` to get Notifications that have happened since a specific ID
**Deployment**
- Imports have been disabled when running with a SQLite database backend
- See https://github.com/CTFd/CTFd/issues/2131
- Added `/healthcheck` endpoint to check if CTFd is ready
- There are now ARM Docker images for OSS CTFd
- Bump dependencies for passlib, bcrypt, requests, gunicorn, gevent, python-geoacumen-city
- Properly load `SAFE_MODE` config from environment variable
- The `AWS_S3_REGION` config has been added to allow specifying an S3 region. The default is `us-east-1`
- Add individual DATABASE config keys as an alternative to `DATABASE_URL`
- `DATABASE_PROTOCOL`: SQLAlchemy DB protocol (+ driver, optionally)
- `DATABASE_USER`: Username to access DB server with
- `DATABASE_PASSWORD`: Password to access DB server with
- `DATABASE_HOST`: Hostname of the DB server to access
- `DATABASE_PORT`: Port of the DB server to access
- `DATABASE_NAME`: Name of the database to use
- Add individual REDIS config keys as an alternative to `REDIS_URL`
- `REDIS_PROTOCOL`: Protocol to access Redis server with (either redis or rediss)
- `REDIS_USER`: Username to access Redis server with
- `REDIS_PASSWORD`: Password to access Redis server with
- `REDIS_HOST`: Hostname of the Redis server to access
- `REDIS_PORT`: Port of the Redis server to access
- `REDIS_DB`: Numeric ID of the database to access
**Plugins**
- Adds support for `config.json` to have multiple paths to add to the Plugins dropdown in the Admin Panel
- Plugins and their migrations now have access to the `get_all_tables` and `get_columns_for_table` functions
- Email sending functions have now been seperated into classes that can be customized via plugins.
- Add `CTFd.utils.email.providers.EmailProvider`
- Add `CTFd.utils.email.providers.mailgun.MailgunEmailProvider`
- Add `CTFd.utils.email.providers.smtp.SMTPEmailProvider`
- Deprecate `CTFd.utils.email.mailgun.sendmail`
- Deprecate `CTFd.utils.email.smtp.sendmail`
**Themes**
- The beta interface `Assets.manifest_css` has been removed
- `event-source-polyfill` is now pinned to 1.0.19.
- See https://github.com/CTFd/CTFd/issues/2159
- Note that we will not be using this polyfill starting with the `core-beta` theme.
- Add autofocus to text fields on authentication pages
* Improve response time of `/api/v1/challenges` and `/api/v1/challenges/[challenge_id]/solves`
* Rewrite and remove _build_solves_query to make it cacheable
* Closes#2209
* Change sendmail functions into classes that can be overriden from a plugin
* Deprecate `CTFd.utils.email.mailgun.sendmail`
* Deprecate `CTFd.utils.email.smtp.sendmail`
* Be more defensive on asset loading during imports
* On primary databases only import backups when we are actually able to make it to the target migration
