aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-18 14:34:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
b6d54b9ee9447ba05ef452f87243199ae655df14
CTFd/tests/api/v1/teams/test_team_members.py
Kevin Chung b6d54b9ee9 2.1.0 (#957) 
https://github.com/CTFd/CTFd/milestone/6
2019-04-17 01:36:30 -04:00

142 lines
4.7 KiB
Python
Raw Blame History

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from tests.helpers import (
create_ctfd,
destroy_ctfd,
login_as_user,
gen_user,
gen_team
)
def test_api_team_get_members():
"""Can a user get /api/v1/teams/<team_id>/members only if admin"""
app = create_ctfd(user_mode="teams")
with app.app_context():
user = gen_user(app.db)
team = gen_team(app.db)
team.members.append(user)
user.team_id = team.id
app.db.session.commit()
with login_as_user(app, name="user_name") as client:
r = client.get('/api/v1/teams/1/members', json="")
assert r.status_code == 403
with login_as_user(app, name="admin") as client:
r = client.get('/api/v1/teams/1/members', json="")
assert r.status_code == 200
resp = r.get_json()
assert resp['data'] == [2]
destroy_ctfd(app)
def test_api_team_remove_members():
"""Can a user remove /api/v1/teams/<team_id>/members only if admin"""
app = create_ctfd(user_mode="teams")
with app.app_context():
user1 = gen_user(app.db, name="user1", email="user1@ctfd.io") # ID 2
user2 = gen_user(app.db, name="user2", email="user2@ctfd.io") # ID 3
team = gen_team(app.db)
team.members.append(user1)
team.members.append(user2)
user1.team_id = team.id
user2.team_id = team.id
app.db.session.commit()
with login_as_user(app, name="user1") as client:
r = client.delete('/api/v1/teams/1/members', json={
'id': 2
})
assert r.status_code == 403
with login_as_user(app, name="admin") as client:
r = client.delete('/api/v1/teams/1/members', json={
'id': 2
})
assert r.status_code == 200
resp = r.get_json()
assert resp['data'] == [3]
r = client.delete('/api/v1/teams/1/members', json={
'id': 2
})
resp = r.get_json()
assert 'User is not part of this team' in resp['errors']['id']
assert r.status_code == 400
destroy_ctfd(app)
def test_api_admin_can_change_captain():
"""Can admins/captains change captains for teams"""
app = create_ctfd(user_mode="teams")
with app.app_context():
user1 = gen_user(app.db, name="user1", email="user1@ctfd.io") # ID 2
user2 = gen_user(app.db, name="user2", email="user2@ctfd.io") # ID 3
team = gen_team(app.db)
team.members.append(user1)
team.members.append(user2)
team.captain_id = 2
user1.team_id = team.id
user2.team_id = team.id
app.db.session.commit()
# I am not the captain
with login_as_user(app, name="user2") as client:
r = client.patch('/api/v1/teams/1', json={
'captain_id': 3
})
assert r.status_code == 403
# Look at me, I'm the captain now
with login_as_user(app, name="user1") as client:
r = client.patch('/api/v1/teams/1', json={
'captain_id': 3
})
# We should still receive a 403 because admins are the only people who can change captains for specific teams
assert r.status_code == 403
# Escalate to admin
with login_as_user(app, name="admin") as client:
r = client.patch('/api/v1/teams/1', json={
'captain_id': 3
})
resp = r.get_json()
assert resp['data']['captain_id'] == 3
assert r.status_code == 200
destroy_ctfd(app)
def test_api_users_can_change_captain_on_self_team():
"""Can admins/captains change captains for their own team"""
app = create_ctfd(user_mode="teams")
with app.app_context():
user1 = gen_user(app.db, name="user1", email="user1@ctfd.io") # ID 2
user2 = gen_user(app.db, name="user2", email="user2@ctfd.io") # ID 3
team = gen_team(app.db)
team.members.append(user1)
team.members.append(user2)
team.captain_id = 2
user1.team_id = team.id
user2.team_id = team.id
app.db.session.commit()
# I am not the captain
with login_as_user(app, name="user2") as client:
r = client.patch('/api/v1/teams/me', json={
'captain_id': 3
})
assert r.status_code == 400
# Look at me, I'm the captain now
with login_as_user(app, name="user1") as client:
r = client.patch('/api/v1/teams/me', json={
'captain_id': 3
})
resp = r.get_json()
assert resp['data']['captain_id'] == 3
assert r.status_code == 200
destroy_ctfd(app)
Reference in New Issue View Git Blame Copy Permalink