def test_api_removing_members_deletes_information(): """If an admin removes a user, their score information should also be removed""" app = create_ctfd(user_mode="teams") with app.app_context(): team = gen_team(app.db) assert len(team.members) == 4 app.db.session.commit() user = Users.query.filter_by(id=2).first() simulate_user_activity(app.db, user) assert Solves.query.filter_by(user_id=2).count() == 1 assert Submissions.query.filter_by(user_id=2).count() == 6 assert Awards.query.filter_by(user_id=2).count() == 1 assert Unlocks.query.filter_by(user_id=2).count() == 1 with login_as_user(app, name="admin") as client: r = client.delete("/api/v1/teams/1/members", json={"user_id": 2}) assert r.status_code == 200 user = Users.query.filter_by(id=2).first() assert Solves.query.filter_by(user_id=2).count() == 0 assert Submissions.query.filter_by(user_id=2).count() == 0 assert Awards.query.filter_by(user_id=2).count() == 0 assert Unlocks.query.filter_by(user_id=2).count() == 0 destroy_ctfd(app)
def test_browse_admin_submissions(): """Test that an admin can create a challenge properly""" app = create_ctfd() with app.app_context(): register_user(app, name="RegisteredUser") user = Users.query.filter_by(id=2).first() simulate_user_activity(app.db, user) admin = login_as_user(app, name="admin", password="******") # It's difficult to do better checks here becase we're just doing string search. # incorrect includes the word correct and the navbar has correct and incorrect in it r = admin.get("/admin/submissions") assert r.status_code == 200 assert "RegisteredUser" in r.get_data(as_text=True) assert "correct" in r.get_data(as_text=True) assert "incorrect" in r.get_data(as_text=True) r = admin.get("/admin/submissions/correct") assert r.status_code == 200 assert "RegisteredUser" in r.get_data(as_text=True) assert "correct" in r.get_data(as_text=True) r = admin.get("/admin/submissions/incorrect") assert r.status_code == 200 assert "RegisteredUser" in r.get_data(as_text=True) r = admin.get("/admin/submissions/correct?field=challenge_id&q=1") assert r.status_code == 200 assert "RegisteredUser" in r.get_data(as_text=True) destroy_ctfd(app)
def test_api_user_place_hidden_if_scores_hidden(): """/api/v1/users/me should not reveal user place if scores aren't visible""" app = create_ctfd() with app.app_context(): register_user(app) user = Users.query.filter_by(id=2).first() simulate_user_activity(app.db, user=user) with login_as_user(app, name="user") as client: r = client.get("/api/v1/users/me", json="") resp = r.get_json() assert resp["data"]["place"] == "1st" set_config("score_visibility", "hidden") with login_as_user(app, name="user") as client: r = client.get("/api/v1/users/me", json="") resp = r.get_json() assert resp["data"]["place"] is None set_config("score_visibility", "admins") with login_as_user(app, name="user") as client: r = client.get("/api/v1/users/me", json="") resp = r.get_json() assert resp["data"]["place"] is None with login_as_user(app, name="admin") as client: r = client.get("/api/v1/users/2", json="") resp = r.get_json() assert resp["data"]["place"] == "1st" destroy_ctfd(app)
def test_api_user_delete_admin(): """Can a user patch /api/v1/users/<user_id> if admin""" app = create_ctfd() with app.app_context(): register_user(app) user = Users.query.filter_by(id=2).first() simulate_user_activity(app.db, user=user) with login_as_user(app, "admin") as client: r = client.delete("/api/v1/users/2", json="") assert r.status_code == 200 assert r.get_json().get("data") is None assert Users.query.filter_by(id=2).first() is None destroy_ctfd(app)
def test_api_statistics_score_distribution(): app = create_ctfd() with app.app_context(): # Handle zero data case client = login_as_user(app, name="admin", password="******") r = client.get("/api/v1/statistics/scores/distribution") resp = r.get_json() assert resp["data"]["brackets"] == {} # Add user data register_user(app) user = Users.query.filter_by(email="*****@*****.**").first() simulate_user_activity(app.db, user=user) # Test again r = client.get("/api/v1/statistics/scores/distribution") resp = r.get_json() assert resp["data"]["brackets"] destroy_ctfd(app)
def test_admins_can_see_scores_with_hidden_scores(): """Test that admins can see user scores when Score Visibility is set to hidden""" app = create_ctfd() with app.app_context(): register_user(app) user = Users.query.filter_by(id=2).first() simulate_user_activity(app.db, user=user) admin = login_as_user(app, name="admin", password="******") user = login_as_user(app) set_config("score_visibility", "hidden") # Users can see their own data r = user.get("/api/v1/users/me/fails", json="") assert r.status_code == 200 r = user.get("/api/v1/users/me/solves", json="") assert r.status_code == 200 # Users cannot see public data r = user.get("/api/v1/users/2/solves", json="") assert r.status_code == 403 r = user.get("/api/v1/users/2/fails", json="") assert r.status_code == 403 r = user.get("/scoreboard") assert r.status_code == 403 r = user.get("/api/v1/scoreboard", json="") assert r.status_code == 403 # Admins can see user data r = admin.get("/api/v1/users/2/fails", json="") assert r.status_code != 403 # Admins can see the scoreboard r = admin.get("/scoreboard") assert r.status_code != 403 assert "Scores are not currently visible to users" in r.get_data(as_text=True) # Admins can see the scoreboard r = admin.get("/api/v1/scoreboard", json="") assert r.status_code != 403 destroy_ctfd(app)
def test_api_team_delete_admin(): """Can a user patch /api/v1/teams/<team_id> if admin""" app = create_ctfd(user_mode="teams") with app.app_context(): team = gen_team(app.db) assert len(team.members) == 4 members = team.members for user in members: simulate_user_activity(app.db, user=user) with login_as_user(app, 'admin') as client: r = client.delete('/api/v1/teams/1', json="") assert r.status_code == 200 assert r.get_json().get('data') is None for user in Users.query.all(): assert user.team_id is None destroy_ctfd(app)