def test_api_removing_members_deletes_information():
"""If an admin removes a user, their score information should also be removed"""
app = create_ctfd(user_mode="teams")
with app.app_context():
team = gen_team(app.db)
assert len(team.members) == 4
app.db.session.commit()
user = Users.query.filter_by(id=2).first()
simulate_user_activity(app.db, user)
assert Solves.query.filter_by(user_id=2).count() == 1
assert Submissions.query.filter_by(user_id=2).count() == 6
assert Awards.query.filter_by(user_id=2).count() == 1
assert Unlocks.query.filter_by(user_id=2).count() == 1
with login_as_user(app, name="admin") as client:
r = client.delete("/api/v1/teams/1/members", json={"user_id": 2})
assert r.status_code == 200
user = Users.query.filter_by(id=2).first()
assert Solves.query.filter_by(user_id=2).count() == 0
assert Submissions.query.filter_by(user_id=2).count() == 0
assert Awards.query.filter_by(user_id=2).count() == 0
assert Unlocks.query.filter_by(user_id=2).count() == 0
destroy_ctfd(app)
def test_browse_admin_submissions():
"""Test that an admin can create a challenge properly"""
app = create_ctfd()
with app.app_context():
register_user(app, name="RegisteredUser")
user = Users.query.filter_by(id=2).first()
simulate_user_activity(app.db, user)
admin = login_as_user(app, name="admin", password="******")
# It's difficult to do better checks here becase we're just doing string search.
# incorrect includes the word correct and the navbar has correct and incorrect in it
r = admin.get("/admin/submissions")
assert r.status_code == 200
assert "RegisteredUser" in r.get_data(as_text=True)
assert "correct" in r.get_data(as_text=True)
assert "incorrect" in r.get_data(as_text=True)
r = admin.get("/admin/submissions/correct")
assert r.status_code == 200
assert "RegisteredUser" in r.get_data(as_text=True)
assert "correct" in r.get_data(as_text=True)
r = admin.get("/admin/submissions/incorrect")
assert r.status_code == 200
assert "RegisteredUser" in r.get_data(as_text=True)
r = admin.get("/admin/submissions/correct?field=challenge_id&q=1")
assert r.status_code == 200
assert "RegisteredUser" in r.get_data(as_text=True)
destroy_ctfd(app)
def test_api_user_place_hidden_if_scores_hidden():
"""/api/v1/users/me should not reveal user place if scores aren't visible"""
app = create_ctfd()
with app.app_context():
register_user(app)
user = Users.query.filter_by(id=2).first()
simulate_user_activity(app.db, user=user)
with login_as_user(app, name="user") as client:
r = client.get("/api/v1/users/me", json="")
resp = r.get_json()
assert resp["data"]["place"] == "1st"
set_config("score_visibility", "hidden")
with login_as_user(app, name="user") as client:
r = client.get("/api/v1/users/me", json="")
resp = r.get_json()
assert resp["data"]["place"] is None
set_config("score_visibility", "admins")
with login_as_user(app, name="user") as client:
r = client.get("/api/v1/users/me", json="")
resp = r.get_json()
assert resp["data"]["place"] is None
with login_as_user(app, name="admin") as client:
r = client.get("/api/v1/users/2", json="")
resp = r.get_json()
assert resp["data"]["place"] == "1st"
destroy_ctfd(app)
def test_api_user_delete_admin():
"""Can a user patch /api/v1/users/<user_id> if admin"""
app = create_ctfd()
with app.app_context():
register_user(app)
user = Users.query.filter_by(id=2).first()
simulate_user_activity(app.db, user=user)
with login_as_user(app, "admin") as client:
r = client.delete("/api/v1/users/2", json="")
assert r.status_code == 200
assert r.get_json().get("data") is None
assert Users.query.filter_by(id=2).first() is None
destroy_ctfd(app)
def test_api_statistics_score_distribution():
app = create_ctfd()
with app.app_context():
# Handle zero data case
client = login_as_user(app, name="admin", password="******")
r = client.get("/api/v1/statistics/scores/distribution")
resp = r.get_json()
assert resp["data"]["brackets"] == {}
# Add user data
register_user(app)
user = Users.query.filter_by(email="*****@*****.**").first()
simulate_user_activity(app.db, user=user)
# Test again
r = client.get("/api/v1/statistics/scores/distribution")
resp = r.get_json()
assert resp["data"]["brackets"]
destroy_ctfd(app)
def test_admins_can_see_scores_with_hidden_scores():
"""Test that admins can see user scores when Score Visibility is set to hidden"""
app = create_ctfd()
with app.app_context():
register_user(app)
user = Users.query.filter_by(id=2).first()
simulate_user_activity(app.db, user=user)
admin = login_as_user(app, name="admin", password="******")
user = login_as_user(app)
set_config("score_visibility", "hidden")
# Users can see their own data
r = user.get("/api/v1/users/me/fails", json="")
assert r.status_code == 200
r = user.get("/api/v1/users/me/solves", json="")
assert r.status_code == 200
# Users cannot see public data
r = user.get("/api/v1/users/2/solves", json="")
assert r.status_code == 403
r = user.get("/api/v1/users/2/fails", json="")
assert r.status_code == 403
r = user.get("/scoreboard")
assert r.status_code == 403
r = user.get("/api/v1/scoreboard", json="")
assert r.status_code == 403
# Admins can see user data
r = admin.get("/api/v1/users/2/fails", json="")
assert r.status_code != 403
# Admins can see the scoreboard
r = admin.get("/scoreboard")
assert r.status_code != 403
assert "Scores are not currently visible to users" in r.get_data(as_text=True)
# Admins can see the scoreboard
r = admin.get("/api/v1/scoreboard", json="")
assert r.status_code != 403
destroy_ctfd(app)
def test_api_team_delete_admin():
"""Can a user patch /api/v1/teams/<team_id> if admin"""
app = create_ctfd(user_mode="teams")
with app.app_context():
team = gen_team(app.db)
assert len(team.members) == 4
members = team.members
for user in members:
simulate_user_activity(app.db, user=user)
with login_as_user(app, 'admin') as client:
r = client.delete('/api/v1/teams/1', json="")
assert r.status_code == 200
assert r.get_json().get('data') is None
for user in Users.query.all():
assert user.team_id is None
destroy_ctfd(app)
