mirror of
https://github.com/aljazceru/CTFd.git
synced 2025-12-17 14:04:20 +01:00
9264e96428
# 3.1.0 / 2020-09-08 **General** - Loosen team password confirmation in team settings to also accept the team captain's password to make it easier to change the team password - Adds the ability to add custom user and team fields for registration/profile settings. - Improve Notifications pubsub events system to use a subscriber per server instead of a subscriber per browser. This should improve the reliability of CTFd at higher load and make it easier to deploy the Notifications system **Admin Panel** - Add a comments functionality for admins to discuss challenges, users, teams, pages - Adds a legal section in Configs where users can add a terms of service and privacy policy - Add a Custom Fields section in Configs where admins can add/edit custom user/team fields - Move user graphs into a modal for Admin Panel **API** - Add `/api/v1/comments` to manipulate and create comments **Themes** - Make scoreboard caching only cache the score table instead of the entire page. This is done by caching the specific template section. Refer to #1586, specifically the changes in `scoreboard.html`. - Add rel=noopener to external links to prevent tab napping attacks - Change the registration page to reference links to Terms of Service and Privacy Policy if specified in configuration **Miscellaneous** - Make team settings modal larger in the core theme - Update tests in Github Actions to properly test under MySQL and Postgres - Make gevent default in serve.py and add a `--disable-gevent` switch in serve.py - Add `tenacity` library for retrying logic - Add `pytest-sugar` for slightly prettier pytest output - Add a `listen()` method to `CTFd.utils.events.EventManager` and `CTFd.utils.events.RedisEventManager`. - This method should implement subscription for a CTFd worker to whatever underlying notification system there is. This should be implemented with gevent or a background thread. - The `subscribe()` method (which used to implement the functionality of the new `listen()` function) now only handles passing notifications from CTFd to the browser. This should also be implemented with gevent or a background thread.
109 lines
3.5 KiB
Python
109 lines
3.5 KiB
Python
#!/usr/bin/env python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
from CTFd.models import Comments
|
|
from tests.helpers import (
|
|
create_ctfd,
|
|
destroy_ctfd,
|
|
gen_challenge,
|
|
gen_comment,
|
|
login_as_user,
|
|
register_user,
|
|
)
|
|
|
|
|
|
def test_api_post_comments():
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
gen_challenge(app.db)
|
|
with login_as_user(app, "admin") as admin:
|
|
r = admin.post(
|
|
"/api/v1/comments",
|
|
json={
|
|
"content": "this is a challenge comment",
|
|
"type": "challenge",
|
|
"challenge_id": 1,
|
|
},
|
|
)
|
|
# Check that POST response has comment data
|
|
assert r.status_code == 200
|
|
resp = r.get_json()
|
|
assert resp["data"]["content"] == "this is a challenge comment"
|
|
assert "this is a challenge comment" in resp["data"]["html"]
|
|
assert resp["data"]["type"] == "challenge"
|
|
|
|
# Check that the comment shows up in the list of comments for the given challenge
|
|
r = admin.get("/api/v1/comments?challenge_id=1", json="")
|
|
assert r.status_code == 200
|
|
resp = r.get_json()
|
|
assert resp["data"][0]["content"] == "this is a challenge comment"
|
|
assert "this is a challenge comment" in resp["data"][0]["html"]
|
|
assert resp["data"][0]["type"] == "challenge"
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_api_post_comments_with_invalid_author_id():
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
gen_challenge(app.db)
|
|
register_user(app)
|
|
with login_as_user(app, "admin") as admin:
|
|
r = admin.post(
|
|
"/api/v1/comments",
|
|
json={
|
|
"content": "this is a challenge comment",
|
|
"type": "challenge",
|
|
"challenge_id": 1,
|
|
"author_id": 2,
|
|
},
|
|
)
|
|
# Check that POST response has comment data
|
|
assert r.status_code == 200
|
|
resp = r.get_json()
|
|
assert resp["data"]["author_id"] == 1
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_api_get_comments():
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
gen_challenge(app.db)
|
|
with login_as_user(app, "admin") as admin:
|
|
gen_comment(
|
|
app.db,
|
|
content="this is a challenge comment",
|
|
author_id=1,
|
|
challenge_id=1,
|
|
)
|
|
r = admin.get("/api/v1/comments", json="")
|
|
|
|
# Check that the comment shows up in the list of all comments
|
|
assert r.status_code == 200
|
|
resp = r.get_json()
|
|
assert resp["data"][0]["content"] == "this is a challenge comment"
|
|
assert "this is a challenge comment" in resp["data"][0]["html"]
|
|
assert resp["data"][0]["type"] == "challenge"
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_api_delete_comments():
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
gen_challenge(app.db)
|
|
with login_as_user(app, "admin") as admin:
|
|
gen_comment(
|
|
app.db,
|
|
content="this is a challenge comment",
|
|
author_id=1,
|
|
challenge_id=1,
|
|
)
|
|
assert Comments.query.count() == 1
|
|
|
|
# Check that the comment can be deleted
|
|
r = admin.delete("/api/v1/comments/1", json="")
|
|
assert r.status_code == 200
|
|
resp = r.get_json()
|
|
assert Comments.query.count() == 0
|
|
assert resp["success"] is True
|
|
destroy_ctfd(app)
|