admin/CTFd
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

init CTFd source
Some checks are pending
Linting / Linting (3.11) (push) Waiting to run
Details
Mirror core-theme / mirror (push) Waiting to run
Details

Browse Source
This commit is contained in:
gkr
2025-12-25 09:39:21 +08:00
commit 2e06f92c64
1047 changed files with 150349 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
tests/api/v1/users/__init__.py Normal file
View File

89
tests/api/v1/users/test_scoring.py Normal file
View File

@@ -0,0 +1,89 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from CTFd.models import Users
from CTFd.utils import set_config
from tests.helpers import (
create_ctfd,
destroy_ctfd,
login_as_user,
register_user,
simulate_user_activity,
)
def test_api_user_place_score_hidden_if_scores_hidden():
"""/api/v1/users/me should not reveal user place if scores aren't visible"""
app = create_ctfd()
with app.app_context():
register_user(app)
user = Users.query.filter_by(id=2).first()
simulate_user_activity(app.db, user=user)
with login_as_user(app, name="user") as client:
r = client.get("/api/v1/users/me", json="")
resp = r.get_json()
assert resp["data"]["place"] == "1st"
assert resp["data"]["score"] == 200
set_config("score_visibility", "hidden")
with login_as_user(app, name="user") as client:
r = client.get("/api/v1/users/me", json="")
resp = r.get_json()
# Users can see their own score but they cannot see their place
# This is because a user can always sum up their own score but
# they cannot determine their place without social information
assert resp["data"]["place"] is None
assert resp["data"]["score"] == 200
set_config("score_visibility", "admins")
with login_as_user(app, name="user") as client:
r = client.get("/api/v1/users/me", json="")
resp = r.get_json()
# The same behavior as above applies even under admins only score mode
# The rationale is the same. Users can always sum their own score
assert resp["data"]["place"] is None
assert resp["data"]["score"] == 200
with login_as_user(app, name="admin") as client:
r = client.get("/api/v1/users/2", json="")
resp = r.get_json()
assert resp["data"]["place"] == "1st"
assert resp["data"]["score"] is not None
destroy_ctfd(app)
def test_api_public_user_place_score_hidden_if_scores_hidden():
"""/api/v1/users/<user_id> should not reveal user place if scores aren't visible"""
app = create_ctfd()
with app.app_context():
register_user(app)
user = Users.query.filter_by(id=2).first()
simulate_user_activity(app.db, user=user)
with login_as_user(app, name="user") as client:
r = client.get("/api/v1/users/2", json="")
resp = r.get_json()
assert resp["data"]["place"] == "1st"
assert resp["data"]["score"] is not None
set_config("score_visibility", "hidden")
with login_as_user(app, name="user") as client:
r = client.get("/api/v1/users/2", json="")
resp = r.get_json()
assert resp["data"]["place"] is None
assert resp["data"]["score"] is None
set_config("score_visibility", "admins")
with login_as_user(app, name="user") as client:
r = client.get("/api/v1/users/2", json="")
resp = r.get_json()
assert resp["data"]["place"] is None
assert resp["data"]["score"] is None
with login_as_user(app, name="admin") as client:
r = client.get("/api/v1/users/2", json="")
resp = r.get_json()
assert resp["data"]["place"] == "1st"
assert resp["data"]["score"] is not None
destroy_ctfd(app)

113
tests/api/v1/users/test_users.py Normal file
View File

@@ -0,0 +1,113 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from CTFd.models import Users, db
from CTFd.utils.crypto import verify_password
from tests.helpers import create_ctfd, destroy_ctfd, login_as_user, register_user
def test_api_self_ban():
"""PATCH /api/v1/users/<user_id> should not allow a user to ban themselves"""
app = create_ctfd()
with app.app_context():
with login_as_user(app, name="admin") as client:
r = client.patch("/api/v1/users/1", json={"banned": True})
resp = r.get_json()
assert r.status_code == 400
assert resp["success"] == False
assert resp["errors"] == {"id": "You cannot ban yourself"}
destroy_ctfd(app)
def test_api_modify_user_type():
"""Can a user patch /api/v1/users/<user_id> to promote a user to admin and demote them to user"""
app = create_ctfd()
with app.app_context():
register_user(app)
with login_as_user(app, "admin") as client:
r = client.patch("/api/v1/users/2", json={"type": "admin"})
assert r.status_code == 200
user_data = r.get_json()["data"]
assert user_data["name"] == "user"
assert user_data["type"] == "admin"
r = client.patch("/api/v1/users/2", json={"type": "user"})
assert r.status_code == 200
user_data = r.get_json()["data"]
assert user_data["name"] == "user"
assert user_data["type"] == "user"
destroy_ctfd(app)
def test_api_can_query_by_user_emails():
"""Can an admin user query /api/v1/users using a user's email address"""
app = create_ctfd()
with app.app_context():
register_user(app, name="testuser", email="user@findme.com")
with login_as_user(app, "testuser") as client:
r = client.get("/api/v1/users?field=email&q=findme", json=True)
assert r.status_code == 400
assert r.get_json()["errors"].get("field")
with login_as_user(app, "admin") as client:
r = client.get("/api/v1/users?field=email&q=findme", json=True)
assert r.status_code == 200
assert r.get_json()["data"][0]["id"] == 2
destroy_ctfd(app)
def test_api_user_can_update_password_if_none_not_if_set():
"""Can a user set their password if they do not currently have a password"""
app = create_ctfd()
with app.app_context():
# Create a user with a null password. Use raw SQL to bypass SQLAlchemy validates
register_user(app, name="testuser", email="user@examplectf.com")
db.session.execute("UPDATE users SET password=NULL WHERE name='testuser'")
user = Users.query.filter_by(name="testuser").first()
db.session.commit()
assert user.password is None
with app.test_client() as client:
# Login as user
with client.session_transaction() as sess:
sess["id"] = user.id
r = client.get("/api/v1/users/me", json=True)
assert r.status_code == 200
# Test that user can change password
user = Users.query.filter_by(name="testuser").first()
assert user.password is None
data = {"password": "12345", "confirm": "password"}
r = client.patch("/api/v1/users/me", json=data)
assert r.status_code == 200
# Verify password is now set
user = Users.query.filter_by(name="testuser").first()
assert verify_password(plaintext="12345", ciphertext=user.password)
# Verify that password cannot be changed
data = {"password": "noset", "confirm": "password"}
r = client.patch("/api/v1/users/me", json=data)
resp = r.get_json()
assert resp["errors"]["confirm"] == ["Your previous password is incorrect"]
assert r.status_code == 400
# Verify a regular user cannot patch another user
register_user(
app,
name="testuser2",
email="user2@examplectf.com",
password="testinguser",
)
testuser = Users.query.filter_by(name="testuser2").first()
assert verify_password(
plaintext="testinguser", ciphertext=testuser.password
)
data = {"password": "password", "confirm": "password"}
r = client.patch("/api/v1/users/3", json=data)
assert r.status_code == 403
testuser = Users.query.filter_by(name="testuser2").first()
assert verify_password(
plaintext="testinguser", ciphertext=testuser.password
)
destroy_ctfd(app)