aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-17 05:54:19 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
7c60c697ee38a500b4584fbac14e2e424e48e4d4
CTFd/tests/users/test_users.py
Kevin Chung 7c60c697ee Properly hide users/teams if they are set to banned/hidden (#932) 
* Properly hide users/teams if they are set to hidden/banned
    * This should be in the API and in the main user panel. This should not affect admins. 
* Update tests to reflect this behavior.
2019-04-04 22:44:18 -04:00

86 lines
3.2 KiB
Python
Raw Blame History

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from tests.helpers import *
def test_accessing_hidden_users():
"""Hidden users should not give any data from /users or /api/v1/users"""
app = create_ctfd()
with app.app_context():
register_user(app, name="visible_user", email="visible_user@ctfd.io") # ID 2
register_user(app, name="hidden_user", email="hidden_user@ctfd.io") # ID 3
register_user(app, name="banned_user", email="banned_user@ctfd.io") # ID 4
user = Users.query.filter_by(name="hidden_user").first()
user.hidden = True
app.db.session.commit()
user = Users.query.filter_by(name="banned_user").first()
user.banned = True
app.db.session.commit()
with login_as_user(app, name="visible_user") as client:
assert client.get('/users/3').status_code == 404
assert client.get('/api/v1/users/3').status_code == 404
assert client.get('/api/v1/users/3/solves').status_code == 404
assert client.get('/api/v1/users/3/fails').status_code == 404
assert client.get('/api/v1/users/3/awards').status_code == 404
assert client.get('/users/4').status_code == 404
assert client.get('/api/v1/users/4').status_code == 404
assert client.get('/api/v1/users/4/solves').status_code == 404
assert client.get('/api/v1/users/4/fails').status_code == 404
assert client.get('/api/v1/users/4/awards').status_code == 404
destroy_ctfd(app)
def test_hidden_user_visibility():
"""Hidden users should not show up on /users or /api/v1/users or /api/v1/scoreboard"""
app = create_ctfd()
with app.app_context():
register_user(app, name="hidden_user")
with login_as_user(app, name="hidden_user") as client:
user = Users.query.filter_by(id=2).first()
user_name = user.name
user.hidden = True
app.db.session.commit()
r = client.get('/users')
response = r.get_data(as_text=True)
assert user_name not in response
r = client.get('/api/v1/users')
response = r.get_json()
assert user_name not in response
gen_award(app.db, user.id)
r = client.get('/scoreboard')
response = r.get_data(as_text=True)
assert user_name not in response
r = client.get('/api/v1/scoreboard')
response = r.get_json()
assert user_name not in response
# User should re-appear after disabling hiding
# Use an API call to cause a cache clear
with login_as_user(app, name='admin') as admin:
r = admin.patch('/api/v1/users/2', json={
"hidden": False,
})
assert r.status_code == 200
r = client.get('/users')
response = r.get_data(as_text=True)
assert user_name in response
r = client.get('/api/v1/users')
response = r.get_data(as_text=True)
assert user_name in response
r = client.get('/api/v1/scoreboard')
response = r.get_data(as_text=True)
assert user_name in response
destroy_ctfd(app)
Reference in New Issue View Git Blame Copy Permalink