mirror of
https://github.com/aljazceru/CTFd.git
synced 2025-12-17 22:14:25 +01:00
5d7e0e39c7
* Fix issue where admins could not see user graphs/api data if score visibility was set to hidden * Closes #1580
55 lines
1.7 KiB
Python
55 lines
1.7 KiB
Python
from CTFd.models import Users
|
|
from CTFd.utils import set_config
|
|
from tests.helpers import (
|
|
create_ctfd,
|
|
destroy_ctfd,
|
|
login_as_user,
|
|
register_user,
|
|
simulate_user_activity,
|
|
)
|
|
|
|
|
|
def test_admins_can_see_scores_with_hidden_scores():
|
|
"""Test that admins can see user scores when Score Visibility is set to hidden"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
register_user(app)
|
|
user = Users.query.filter_by(id=2).first()
|
|
simulate_user_activity(app.db, user=user)
|
|
|
|
admin = login_as_user(app, name="admin", password="password")
|
|
user = login_as_user(app)
|
|
|
|
set_config("score_visibility", "hidden")
|
|
|
|
# Users can see their own data
|
|
r = user.get("/api/v1/users/me/fails", json="")
|
|
assert r.status_code == 200
|
|
r = user.get("/api/v1/users/me/solves", json="")
|
|
assert r.status_code == 200
|
|
|
|
# Users cannot see public data
|
|
r = user.get("/api/v1/users/2/solves", json="")
|
|
assert r.status_code == 403
|
|
r = user.get("/api/v1/users/2/fails", json="")
|
|
assert r.status_code == 403
|
|
r = user.get("/scoreboard")
|
|
assert r.status_code == 403
|
|
r = user.get("/api/v1/scoreboard", json="")
|
|
assert r.status_code == 403
|
|
|
|
# Admins can see user data
|
|
r = admin.get("/api/v1/users/2/fails", json="")
|
|
assert r.status_code != 403
|
|
|
|
# Admins can see the scoreboard
|
|
r = admin.get("/scoreboard")
|
|
assert r.status_code != 403
|
|
assert "Scores are not currently visible to users" in r.get_data(as_text=True)
|
|
|
|
# Admins can see the scoreboard
|
|
r = admin.get("/api/v1/scoreboard", json="")
|
|
assert r.status_code != 403
|
|
|
|
destroy_ctfd(app)
|