aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-18 14:34:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ecdb99e2f11beec17e2e44179c12c9bb76284cfc
CTFd/tests/teams/test_invites.py
Kevin Chung d9975f307c Mark 3.2.0 (#1748) 
# 3.2.0 / unreleased

**General**

- Add Team invites.
  - Team invites are links containing a token that allow a user to join a team without knowing the team password
  - Captains can generate invite tokens for their teams
  - Admins can generate Team invite links as well
- Improved Team handling
  - Prevent team joining while already on a team
  - Return 403 instead of 200 for team join/create errors
  - Allow team captains whose teams haven't done anything to disband their team
- Allow for uploading navbar logo, favicon, and index page banner during initial setup
- Fixed issue in teams mode where a user couldn't unlock a hint despite their team having enough points
  - The fix for this is essentially to allow the user's points to go negative
- Imports have been made more stable
  - This is primarily done by killing MySQL processes that are locking metadta
  - This is a subpar approach but it seems to be the only solution to avoid a metadata lock in MySQL. This approach did not appear to be needed under Postgres or SQLite
- Update some migrations to first check if a table already exists.

**API**

- Addition of `POST /api/v1/teams/me/members` to generate invite tokens for teams
- Fixed an issue in `POST /api/v1/awards` where CTFd would 500 when a user could not be found by the provided `user_id`
- `POST /api/v1/unlocks` in teams mode now uses the team's score to determine if a user can purchase a hint
  - Properly check for existing unlocks in teams mode in `POST /api/v1/unlocks`
- `/api/v1/notifications` and `/api/v1/notifications/[notification_id]` now have an html parameter which specifies the rendered content of the notification content

**Themes**

- Added syntax highlighting to challenge descriptions, pages, hints, notifications, comments, and markdown editors
  - This is done with `highlight.js` which has been added to `package.json`
- Fix notifications to properly fix/support Markdown and HTML notifications
  - Notifications SQL Model now has an html propery
  - Notifications API schemas now has an html field
- Removed MomentJS (see https://momentjs.com/docs/#/-project-status/) in favor of dayjs
  - dayjs is mostly API compatible with MomentJS. The only major changes were:
    - dayjs always uses browser local time so you don't need to call `.local()`
    - dayjs segments out some MomentJS functionality into plugins which need to be imported in before using those features
- Fixed issue in `challenge.html` where the current attempt count would have a typo
- Fixed issue in `challenge.html` where the max attempts for a challenge would not show if it was set to 1
- Edit donut charts to have easier to read legends and labels
- Make data zoom bars thinner and more transparent

**Plugins**

- Don't run `db.create_all()` as much during plugin upgrade or during imports
  - By avoiding this we can let alembic and migrations do more of the table creation work but this means that plugins specifically opt into `app.db.create_all()` and will not implicitly get it through `upgrade()`.
  - This means plugins that run `upgrade()` without a migrations folder (no idea who would do this really) will need to upgrade their code.

**Admin Panel**

- Add Favicon uploading to the Admin Panel
- Move Logo uploading to the Theme tab in the Admin Panel
- The challenge left side bar tabs have been rewritten into VueJS components.
  - This fixes a number of issues with the consistency of what data is deleted/edited in the challenge editor
  - This also prevents having to refresh the page in most challenge editing situations
- Fixed a possible bug where the update available alert wouldn't go away on server restart
- Examples for regex flags are now provided
- Wrong submissions has been renamed to Incorrect Submissions
- Graphs in the Admin Statistics page will now scroll with mouse wheel to improve browsing large datasets

**Deployment**

- A restart policy set to `always` has been added to nginx in docker-compose
- Rename `requirements.txt` to `requirements.in` and generate `requirements.txt` using `pip-tools` under Python 3.6
- `UPLOAD_PROVIDER` no longer has a default `filesystem` set in config.ini. Instead it is defaulted through `config.py`

**Miscellaneous**

- The `psycopg2` dependency in development.txt has been removed in favor of `psycopg2-binary` which was updated to 2.8.6
- The `moto` dependency in development.txt has been updated to 1.3.16
- Add `pip-tools` to `development.txt`
- Add `import_ctf` and `export_ctf` commands to `manage.py` and deprecate `import.py` and `export.py`
- Override the `MAIL_SERVER` config with the `TESTING_MAIL_SERVER` envvar during tests
- `ping` events in the notification event handler have been fixed to not send duplicates
2020-12-01 16:09:31 -05:00

82 lines
3.0 KiB
Python
Raw Blame History

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from freezegun import freeze_time
from CTFd.exceptions import TeamTokenExpiredException, TeamTokenInvalidException
from CTFd.models import Teams, Users
from CTFd.utils import set_config
from tests.helpers import create_ctfd, destroy_ctfd, gen_team, gen_user, login_as_user
def test_team_invite_codes():
app = create_ctfd(user_mode="teams")
with app.app_context():
team1 = gen_team(app.db, name="team1", email="team1@ctfd.io")
with freeze_time("2017-10-7 00:00:00"):
invite_code = team1.get_invite_code()
team = Teams.load_invite_code(invite_code)
assert team.id == team1.id
with freeze_time("2017-10-8 00:00:01"):
try:
team = Teams.load_invite_code(invite_code)
except TeamTokenExpiredException:
# This token should be expired and we shouldn't get a team object back
pass
else:
print("Token should have expired")
raise Exception
# Change team's password
team.password = "new_test_password"
app.db.session.commit()
with freeze_time("2017-10-7 00:00:00"):
try:
team = Teams.load_invite_code(invite_code)
except TeamTokenInvalidException:
pass
else:
print("Token should have been invalidated by password change")
raise Exception
destroy_ctfd(app)
def test_api_user_facing_invite_tokens():
app = create_ctfd(user_mode="teams")
with app.app_context():
team1 = gen_team(app.db, name="team1", email="team1@ctfd.io")
user = team1.captain
with login_as_user(app, name=user.name) as captain:
r = captain.post("/api/v1/teams/me/members", json="")
invite_code = r.get_json()["data"]["code"]
assert invite_code
new_user = gen_user(app.db)
with login_as_user(app, name=new_user.name) as user:
url = f"/teams/invite?code={invite_code}"
user.get(url)
with user.session_transaction() as sess:
data = {
"nonce": sess.get("nonce"),
}
r = user.post(url, data=data)
assert r.status_code == 302
assert r.location.endswith("/challenges")
assert Users.query.filter_by(id=new_user.id).first().team_id == team1.id
# Test team size limits
set_config("team_size", 1)
new_user2 = gen_user(app.db, name="new_user2", email="new_user2@ctfd.io")
with login_as_user(app, name=new_user2.name) as user:
url = f"/teams/invite?code={invite_code}"
user.get(url)
with user.session_transaction() as sess:
data = {
"nonce": sess.get("nonce"),
}
r = user.post(url, data=data)
assert r.status_code == 403
assert "has already reached the team size limit" in r.get_data(as_text=True)
destroy_ctfd(app)
Reference in New Issue View Git Blame Copy Permalink