def files(path):
"""
Route in charge of dealing with making sure that CTF challenges are only accessible during the competition.
:param path:
:return:
"""
f = Files.query.filter_by(location=path).first_or_404()
if f.type == "challenge":
if challenges_visible():
if current_user.is_admin() is False:
if not ctftime():
if ctf_ended() and view_after_ctf():
pass
else:
abort(403)
else:
if not ctftime():
abort(403)
# Allow downloads if a valid token is provided
token = request.args.get("token", "")
try:
data = unserialize(token, max_age=3600)
user_id = data.get("user_id")
team_id = data.get("team_id")
file_id = data.get("file_id")
user = Users.query.filter_by(id=user_id).first()
team = Teams.query.filter_by(id=team_id).first()
# Check user is admin if challenge_visibility is admins only
if (
get_config(ConfigTypes.CHALLENGE_VISIBILITY) == "admins"
and user.type != "admin"
):
abort(403)
# Check that the user exists and isn't banned
if user:
if user.banned:
abort(403)
else:
abort(403)
# Check that the team isn't banned
if team:
if team.banned:
abort(403)
else:
pass
# Check that the token properly refers to the file
if file_id != f.id:
abort(403)
# The token isn't expired or broken
except (BadTimeSignature, SignatureExpired, BadSignature):
abort(403)
uploader = get_uploader()
try:
return uploader.download(f.location)
except IOError:
abort(404)
def reset_password(data=None):
if data is not None:
try:
email_address = unserialize(data, max_age=1800)
except (BadTimeSignature, SignatureExpired):
return render_template("reset_password.html",
errors=["Your link has expired"])
except (BadSignature, TypeError, base64.binascii.Error):
return render_template("reset_password.html",
errors=["Your reset token is invalid"])
if request.method == "GET":
return render_template("reset_password.html", mode="set")
if request.method == "POST":
password = request.form.get("password", "").strip()
user = Users.query.filter_by(email=email_address).first_or_404()
if user.oauth_id:
return render_template(
"reset_password.html",
errors=[
"Your account was registered via an authentication provider and does not have an associated password. Please login via your authentication provider."
],
)
pass_short = len(password) == 0
if pass_short:
return render_template(
"reset_password.html",
errors=["Please pick a longer password"])
user.password = password
db.session.commit()
log(
"logins",
format="[{date}] {ip} - successful password reset for {name}",
name=user.name,
)
db.session.close()
email.password_change_alert(user.email)
return redirect(url_for("auth.login"))
if request.method == "POST":
email_address = request.form["email"].strip()
user = Users.query.filter_by(email=email_address).first()
get_errors()
if config.can_send_mail() is False:
return render_template(
"reset_password.html",
errors=[
"Email could not be sent due to server misconfiguration"
],
)
if not user:
return render_template(
"reset_password.html",
errors=[
"If that account exists you will receive an email, please check your inbox"
],
)
if user.oauth_id:
return render_template(
"reset_password.html",
errors=[
"The email address associated with this account was registered via an authentication provider and does not have an associated password. Please login via your authentication provider."
],
)
email.forgot_password(email_address)
return render_template(
"reset_password.html",
errors=[
"If that account exists you will receive an email, please check your inbox"
],
)
return render_template("reset_password.html")