mirror of
https://github.com/aljazceru/CTFd.git
synced 2025-12-17 14:04:20 +01:00
367110969e
* Show notification titles on the notification list page * Allow for deleting notifications * Update notification UI in admin panel * Make /api/v1/notifications/<id> accessible to all * Default `login_as_user()` and `register_user()` to fail on invalid credentials
93 lines
2.9 KiB
Python
93 lines
2.9 KiB
Python
#!/usr/bin/env python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
from CTFd.models import Hints
|
|
from tests.helpers import *
|
|
|
|
|
|
def test_api_hint_get_non_admin():
|
|
"""Can the users get /api/v1/hints if not admin"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
register_user(app)
|
|
with login_as_user(app) as client:
|
|
r = client.get('/api/v1/hints', json="")
|
|
assert r.status_code == 403
|
|
assert Hints.query.count() == 0
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_api_hint_get_admin():
|
|
"""Can the users get /api/v1/hints if admin"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
with login_as_user(app, name="admin") as client:
|
|
r = client.get('/api/v1/hints', json="")
|
|
assert r.status_code == 200
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_api_hint_post_non_admin():
|
|
"""Can the users post /api/v1/hints if not admin"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
register_user(app)
|
|
with login_as_user(app) as client:
|
|
r = client.post('/api/v1/hints', json="")
|
|
assert r.status_code == 403
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_api_hint_post_admin():
|
|
"""Can the users post /api/v1/hints if admin"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
gen_challenge(app.db)
|
|
with login_as_user(app, name="admin") as client:
|
|
r = client.post('/api/v1/hints', json={
|
|
"content": "hint",
|
|
"cost": "1",
|
|
"challenge": 1})
|
|
assert r.status_code == 200
|
|
assert Hints.query.count() == 1
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admins_can_preview_hints():
|
|
"""Test that admins are able to bypass restrictions and preview hints with ?preview=true"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
gen_challenge(app.db)
|
|
gen_hint(app.db, challenge_id=1, cost=100)
|
|
client = login_as_user(app, name="admin", password="password")
|
|
r = client.get('/api/v1/hints/1')
|
|
assert r.status_code == 200
|
|
hint = r.get_json()
|
|
assert hint.get('content') is None
|
|
|
|
r = client.get('/api/v1/hints/1?preview=true')
|
|
assert r.status_code == 200
|
|
hint = r.get_json()
|
|
assert hint['data']['content'] == "This is a hint"
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_users_cannot_preview_hints():
|
|
"""Test that users aren't able to preview hints"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
gen_challenge(app.db)
|
|
gen_hint(app.db, challenge_id=1, cost=100)
|
|
register_user(app)
|
|
client = login_as_user(app)
|
|
r = client.get('/api/v1/hints/1')
|
|
assert r.status_code == 200
|
|
hint = r.get_json()
|
|
assert hint.get('content') is None
|
|
|
|
r = client.get('/api/v1/hints/1?preview=true')
|
|
assert r.status_code == 200
|
|
hint = r.get_json()
|
|
assert hint['data'].get('content') is None
|
|
destroy_ctfd(app)
|