def test_api_team_place_hidden_if_scores_hidden():
"""/api/v1/teams/me should not reveal team place if scores aren't visible"""
app = create_ctfd(user_mode="teams")
with app.app_context():
gen_team(app.db)
app.db.session.commit()
gen_award(app.db, user_id=2, team_id=1)
u = Users.query.filter_by(id=2).first()
with login_as_user(app, name=u.name) as client:
r = client.get("/api/v1/teams/me", json="")
resp = r.get_json()
assert resp["data"]["place"] == "1st"
set_config("score_visibility", "hidden")
with login_as_user(app, name=u.name) as client:
r = client.get("/api/v1/teams/me", json="")
resp = r.get_json()
assert resp["data"]["place"] is None
set_config("score_visibility", "admins")
with login_as_user(app, name=u.name) as client:
r = client.get("/api/v1/teams/me", json="")
resp = r.get_json()
assert resp["data"]["place"] is None
with login_as_user(app, name="admin") as client:
r = client.get("/api/v1/teams/1", json="")
resp = r.get_json()
print(resp)
assert resp["data"]["place"] == "1st"
destroy_ctfd(app)
def test_num_teams_limit():
"""Only num_teams teams can be created"""
app = create_ctfd(user_mode="teams")
with app.app_context():
set_config("num_teams", 1)
# Create a team
gen_team(app.db, member_count=1)
register_user(app)
with login_as_user(app) as client:
r = client.get("/teams/new")
assert r.status_code == 403
# team should be blocked from creation
with client.session_transaction() as sess:
data = {
"name": "team1",
"password": "******",
"nonce": sess.get("nonce"),
}
r = client.post("/teams/new", data=data)
resp = r.get_data(as_text=True)
assert Teams.query.count() == 1
assert "Reached the maximum number of teams" in resp
# Can the team be created after the num has been bumped
set_config("num_teams", 2)
r = client.post("/teams/new", data=data)
resp = r.get_data(as_text=True)
assert Teams.query.count() == 2
destroy_ctfd(app)
def test_teams_join_when_already_on_team():
"""Test that a user cannot join another team"""
app = create_ctfd(user_mode="teams")
with app.app_context():
gen_user(app.db, name="user")
gen_team(app.db, email="*****@*****.**", name="team1")
gen_team(app.db, email="*****@*****.**", name="team2")
with login_as_user(app) as client:
r = client.get("/teams/join")
assert r.status_code == 200
with client.session_transaction() as sess:
data = {
"name": "team1",
"password": "******",
"nonce": sess.get("nonce"),
}
r = client.post("/teams/join", data=data)
assert r.status_code == 302
# Try to join another team while on a team
r = client.get("/teams/join")
assert r.status_code == 200
with client.session_transaction() as sess:
data = {
"name": "team2",
"password": "******",
"nonce": sess.get("nonce"),
}
r = client.post("/teams/join", data=data)
assert r.status_code == 403
user = Users.query.filter_by(name="user").first()
assert user.team.name == "team1"
destroy_ctfd(app)
def test_api_team_patch_non_admin():
"""Can a user patch /api/v1/teams/<team_id> if not admin"""
app = create_kmactf(user_mode="teams")
with app.app_context():
gen_team(app.db)
with app.test_client() as client:
r = client.patch("/api/v1/teams/1", json="")
assert r.status_code == 403
destroy_kmactf(app)
def test_api_team_delete_non_admin():
"""Can a user delete /api/v1/teams/<team_id> if not admin"""
app = create_ctfd(user_mode="teams")
with app.app_context():
gen_team(app.db)
with app.test_client() as client:
r = client.delete('/api/v1/teams/1', json="")
assert r.status_code == 403
destroy_ctfd(app)
def test_api_accessing_hidden_banned_users():
"""Hidden/Banned users should not be visible to normal users, only to admins"""
app = create_ctfd(user_mode="teams")
with app.app_context():
register_user(app)
register_user(app, name="user2", email="*****@*****.**")
register_user(app, name="visible_user", email="*****@*****.**")
user = Users.query.filter_by(id=2).first()
team = gen_team(app.db,
name="hidden_team",
email="*****@*****.**",
hidden=True)
team.members.append(user)
user.team_id = team.id
app.db.session.commit()
user = Users.query.filter_by(id=3).first()
team = gen_team(app.db,
name="banned_team",
email="*****@*****.**",
banned=True)
team.members.append(user)
user.team_id = team.id
app.db.session.commit()
with login_as_user(app, name="visible_user") as client:
list_teams = client.get("/api/v1/teams").get_json()["data"]
assert len(list_teams) == 0
assert client.get("/api/v1/teams/1").status_code == 404
assert client.get("/api/v1/teams/1/solves").status_code == 404
assert client.get("/api/v1/teams/1/fails").status_code == 404
assert client.get("/api/v1/teams/1/awards").status_code == 404
assert client.get("/api/v1/teams/2").status_code == 404
assert client.get("/api/v1/teams/2/solves").status_code == 404
assert client.get("/api/v1/teams/2/fails").status_code == 404
assert client.get("/api/v1/teams/2/awards").status_code == 404
with login_as_user(app, name="admin") as client:
# Admins see hidden teams in lists
list_users = client.get(
"/api/v1/teams?view=admin").get_json()["data"]
assert len(list_users) == 2
assert client.get("/api/v1/teams/1").status_code == 200
assert client.get("/api/v1/teams/1/solves").status_code == 200
assert client.get("/api/v1/teams/1/fails").status_code == 200
assert client.get("/api/v1/teams/1/awards").status_code == 200
assert client.get("/api/v1/teams/2").status_code == 200
assert client.get("/api/v1/teams/2/solves").status_code == 200
assert client.get("/api/v1/teams/2/fails").status_code == 200
assert client.get("/api/v1/teams/2/awards").status_code == 200
destroy_ctfd(app)
def test_api_team_delete_admin():
"""Can a user patch /api/v1/teams/<team_id> if admin"""
app = create_ctfd(user_mode="teams")
with app.app_context():
gen_team(app.db)
with login_as_user(app, 'admin') as client:
r = client.delete('/api/v1/teams/1', json="")
assert r.status_code == 200
assert r.get_json().get('data') is None
destroy_ctfd(app)
def test_import_ctf():
"""Test that CTFd can import a CTF"""
app = create_ctfd()
if not app.config.get("SQLALCHEMY_DATABASE_URI").startswith("sqlite"):
with app.app_context():
base_user = "******"
for x in range(10):
user = base_user + str(x)
user_email = user + "@ctfd.io"
gen_user(app.db, name=user, email=user_email)
base_team = "team"
for x in range(5):
team = base_team + str(x)
team_email = team + "@ctfd.io"
gen_team(app.db, name=team, email=team_email)
for x in range(9):
chal = gen_challenge(app.db, name="chal_name{}".format(x))
gen_flag(app.db, challenge_id=chal.id, content="flag")
chal = gen_challenge(app.db,
name="chal_name10",
requirements={"prerequisites": [1]})
gen_flag(app.db, challenge_id=chal.id, content="flag")
app.db.session.commit()
backup = export_ctf()
with open("export.test_import_ctf.zip", "wb") as f:
f.write(backup.read())
destroy_ctfd(app)
app = create_ctfd()
# TODO: These databases should work but they don't...
if not app.config.get("SQLALCHEMY_DATABASE_URI").startswith("sqlite"):
with app.app_context():
import_ctf("export.test_import_ctf.zip")
if not app.config.get("SQLALCHEMY_DATABASE_URI").startswith(
"postgres"):
# TODO: Dig deeper into why Postgres fails here
assert Users.query.count() == 31
assert Teams.query.count() == 5
assert Challenges.query.count() == 10
assert Flags.query.count() == 10
chal = Challenges.query.filter_by(name="chal_name10").first()
assert chal.requirements == {"prerequisites": [1]}
destroy_ctfd(app)
def test_admin_access():
"""Can a user access admin pages?"""
app = create_ctfd()
with app.app_context():
gen_page(app.db, title="title", route="/route", content="content")
gen_challenge(app.db)
gen_team(app.db)
routes = [
"/admin/challenges/new",
"/admin/export/csv",
# '/admin/pages/preview',
"/admin/pages/new",
"/admin/teams/new",
"/admin/users/new",
"/admin/notifications",
"/admin/challenges",
"/admin/scoreboard",
"/admin/statistics",
"/admin/export",
"/admin/config",
"/admin/pages",
"/admin/teams",
"/admin/users",
"/admin",
"/admin/submissions/correct",
"/admin/submissions/incorrect",
"/admin/submissions",
"/admin/challenges/1",
# '/admin/plugins/<plugin>',
"/admin/pages/1",
"/admin/teams/1",
"/admin/users/1",
]
register_user(app)
client = login_as_user(app)
for route in routes:
r = client.get(route)
assert r.status_code == 302
assert r.location.startswith("http://localhost/login")
admin = login_as_user(app, name="admin")
routes.remove("/admin")
routes.remove("/admin/export/csv")
routes.remove("/admin/export")
for route in routes:
r = admin.get(route)
assert r.status_code == 200
destroy_ctfd(app)
def test_teams_dont_prevent_other_teams_from_unlocking_hints():
"""Unlocks from one user don't affect other users"""
app = create_ctfd(user_mode="teams")
with app.app_context():
chal = gen_challenge(app.db)
gen_hint(app.db,
chal.id,
content="This is a hint",
cost=1,
type="standard")
team1 = gen_team(app.db, name="team1", email="*****@*****.**")
team2 = gen_team(app.db, name="team2", email="*****@*****.**")
# Give users points with an award
gen_award(app.db, user_id=team1.captain_id)
gen_award(app.db, user_id=team2.captain_id)
captain1 = team1.captain.name
captain2 = team2.captain.name
app.db.session.commit()
# First team unlocks hint
with login_as_user(app, name=captain1) as client:
r = client.get("/api/v1/hints/1")
assert r.status_code == 200
r = client.post("/api/v1/unlocks",
json={
"target": 1,
"type": "hints"
})
assert r.status_code == 200
r = client.get("/api/v1/hints/1")
assert r.status_code == 200
# Second team unlocks hint
with login_as_user(app, name=captain2) as client:
r = client.get("/api/v1/hints/1")
assert r.status_code == 200
r = client.post("/api/v1/unlocks",
json={
"target": 1,
"type": "hints"
})
assert r.status_code == 200
r = client.get("/api/v1/hints/1")
assert r.status_code == 200
destroy_ctfd(app)
def test_api_user_patch_team_id():
"""Users can't patch their team_id directly"""
app = create_ctfd()
with app.app_context():
register_user(app)
gen_team(app.db)
with login_as_user(app) as client:
data = {
"team_id": 1,
}
r = client.patch("/api/v1/users/me", json=data)
data = r.get_json()
assert data["data"]["team_id"] is None
destroy_ctfd(app)
def test_team_size_limit():
"""Only team_size amount of members can join a team even via MLC"""
app = create_kmactf(user_mode="teams")
app.config.update({
"OAUTH_CLIENT_ID": "kmactf_testing_client_id",
"OAUTH_CLIENT_SECRET": "kmactf_testing_client_secret",
"OAUTH_AUTHORIZATION_ENDPOINT":
"http://auth.localhost/oauth/authorize",
"OAUTH_TOKEN_ENDPOINT": "http://auth.localhost/oauth/token",
"OAUTH_API_ENDPOINT": "http://api.localhost/user",
})
with app.app_context():
set_config("team_size", 1)
team = gen_team(app.db, member_count=1, oauth_id=1234)
team_id = team.id
login_with_mlc(app,
team_name="team_name",
team_oauth_id=1234,
raise_for_error=False)
assert len(Teams.query.filter_by(id=team_id).first().members) == 1
set_config("team_size", 2)
login_with_mlc(app, team_name="team_name", team_oauth_id=1234)
assert len(Teams.query.filter_by(id=team_id).first().members) == 2
destroy_kmactf(app)
def test_api_team_get_public():
"""Can a user get /api/v1/team/<team_id> if teams are public"""
app = create_ctfd(user_mode="teams")
with app.app_context():
with app.test_client() as client:
set_config('account_visibility', 'public')
gen_team(app.db)
r = client.get('/api/v1/teams/1')
assert r.status_code == 200
set_config('account_visibility', 'private')
r = client.get('/api/v1/teams/1')
assert r.status_code == 302
set_config('account_visibility', 'admins')
r = client.get('/api/v1/teams/1')
assert r.status_code == 404
destroy_ctfd(app)
def test_api_users_can_change_captain_on_self_team():
"""Can admins/captains change captains for their own team"""
app = create_ctfd(user_mode="teams")
with app.app_context():
user1 = gen_user(app.db, name="user1", email="*****@*****.**") # ID 2
user2 = gen_user(app.db, name="user2", email="*****@*****.**") # ID 3
team = gen_team(app.db)
team.members.append(user1)
team.members.append(user2)
team.captain_id = 2
user1.team_id = team.id
user2.team_id = team.id
app.db.session.commit()
# I am not the captain
with login_as_user(app, name="user2") as client:
r = client.patch("/api/v1/teams/me", json={"captain_id": 3})
assert r.status_code == 403
# Look at me, I'm the captain now
with login_as_user(app, name="user1") as client:
r = client.patch("/api/v1/teams/me", json={"captain_id": 3})
resp = r.get_json()
assert resp["data"]["captain_id"] == 3
assert r.status_code == 200
destroy_ctfd(app)
def test_api_team_patch_me_logged_in_admin_captain():
"""Can an admin patch /api/v1/teams/me if logged in as a team captain"""
app = create_ctfd(user_mode="teams")
with app.app_context():
admin = Users.query.filter_by(id=1).first()
user = gen_user(app.db)
team = gen_team(app.db)
team.members.append(user)
team.members.append(admin)
user.team_id = team.id
admin.team_id = team.id
# We want the admin to be the captain
team.captain_id = 1
app.db.session.commit()
with login_as_user(app, name="admin") as client:
# Users can't null out their team name
r = client.patch("/api/v1/teams/me", json={"name": None})
resp = r.get_json()
assert r.status_code == 400
assert resp["errors"]["name"] == ["Field may not be null."]
r = client.patch("/api/v1/teams/me",
json={
"name": "team_name",
"affiliation": "changed"
})
assert r.status_code == 200
team = Teams.query.filter_by(id=1).first()
assert team.name == "team_name"
destroy_ctfd(app)
def test_api_team_remove_members():
"""Can a user remove /api/v1/teams/<team_id>/members only if admin"""
app = create_ctfd(user_mode="teams")
with app.app_context():
team = gen_team(app.db)
assert len(team.members) == 4
app.db.session.commit()
gen_user(app.db, name="user1")
with login_as_user(app, name="user1") as client:
r = client.delete("/api/v1/teams/1/members", json={"user_id": 2})
assert r.status_code == 403
with login_as_user(app, name="admin") as client:
r = client.delete("/api/v1/teams/1/members", json={"user_id": 2})
assert r.status_code == 200
resp = r.get_json()
# The following data is sorted b/c in Postgres data isn't necessarily returned ordered.
assert sorted(resp["data"]) == sorted([3, 4, 5])
r = client.delete("/api/v1/teams/1/members", json={"user_id": 2})
resp = r.get_json()
assert "User is not part of this team" in resp["errors"]["id"]
assert r.status_code == 400
destroy_ctfd(app)
def test_api_admin_can_change_captain():
"""Can admins/captains change captains for teams"""
app = create_ctfd(user_mode="teams")
with app.app_context():
user1 = gen_user(app.db, name="user1", email="*****@*****.**") # ID 2
user2 = gen_user(app.db, name="user2", email="*****@*****.**") # ID 3
team = gen_team(app.db)
team.members.append(user1)
team.members.append(user2)
team.captain_id = 2
user1.team_id = team.id
user2.team_id = team.id
app.db.session.commit()
# I am not the captain
with login_as_user(app, name="user2") as client:
r = client.patch("/api/v1/teams/1", json={"captain_id": 3})
assert r.status_code == 403
# Look at me, I'm the captain now
with login_as_user(app, name="user1") as client:
r = client.patch("/api/v1/teams/1", json={"captain_id": 3})
# We should still receive a 403 because admins are the only people who can change captains for specific teams
assert r.status_code == 403
# Escalate to admin
with login_as_user(app, name="admin") as client:
r = client.patch("/api/v1/teams/1", json={"captain_id": 3})
resp = r.get_json()
assert resp["data"]["captain_id"] == 3
assert r.status_code == 200
destroy_ctfd(app)
def test_api_removing_members_deletes_information():
"""If an admin removes a user, their score information should also be removed"""
app = create_ctfd(user_mode="teams")
with app.app_context():
team = gen_team(app.db)
assert len(team.members) == 4
app.db.session.commit()
user = Users.query.filter_by(id=2).first()
simulate_user_activity(app.db, user)
assert Solves.query.filter_by(user_id=2).count() == 1
assert Submissions.query.filter_by(user_id=2).count() == 6
assert Awards.query.filter_by(user_id=2).count() == 1
assert Unlocks.query.filter_by(user_id=2).count() == 1
with login_as_user(app, name="admin") as client:
r = client.delete("/api/v1/teams/1/members", json={"user_id": 2})
assert r.status_code == 200
user = Users.query.filter_by(id=2).first()
assert Solves.query.filter_by(user_id=2).count() == 0
assert Submissions.query.filter_by(user_id=2).count() == 0
assert Awards.query.filter_by(user_id=2).count() == 0
assert Unlocks.query.filter_by(user_id=2).count() == 0
destroy_ctfd(app)
def test_challenge_team_submit():
"""Is a user's solved challenge reflected by other team members"""
app = create_ctfd(user_mode="teams")
with app.app_context():
user = gen_user(app.db)
second_user = gen_user(app.db, name="user", email='*****@*****.**')
team = gen_team(app.db)
user.team_id = team.id
second_user.team_id = team.id
team.members.append(user)
team.members.append(second_user)
gen_challenge(app.db)
gen_flag(app.db, 1)
app.db.session.commit()
with login_as_user(app, name="user_name") as client:
flag = {"challenge_id": 1, "submission": "flag"}
client.post('/api/v1/challenges/attempt', json=flag)
with login_as_user(app) as second_client:
flag = {"challenge_id": 1, "submission": "flag"}
r = second_client.post('/api/v1/challenges/attempt', json=flag)
assert r.json['data']['status'] == 'already_solved'
standings = get_standings()
assert standings[0][2] == "team_name"
assert standings[0][3] == 100
destroy_ctfd(app)
def test_api_team_captain_disbanding():
"""Test that only team captains can disband teams"""
app = create_ctfd(user_mode="teams")
with app.app_context():
user = gen_user(app.db, name="user")
team = gen_team(app.db)
team.members.append(user)
user.team_id = team.id
team.captain_id = 2
user2 = gen_user(app.db, name="user2", email="*****@*****.**")
team.members.append(user2)
app.db.session.commit()
with login_as_user(app, name="user2") as client:
r = client.delete("/api/v1/teams/me", json="")
assert r.status_code == 403
assert r.get_json() == {
"success": False,
"errors": {
"": ["Only team captains can disband their team"]
},
}
with login_as_user(app) as client:
r = client.delete("/api/v1/teams/me", json="")
assert r.status_code == 200
assert r.get_json() == {
"success": True,
}
destroy_ctfd(app)
def test_api_team_get_admin():
"""Can a user get /api/v1/teams/<team_id> if teams are viewed by admins only"""
app = create_ctfd(user_mode="teams")
with app.app_context():
with login_as_user(app, 'admin') as client:
gen_team(app.db)
set_config('account_visibility', 'public')
r = client.get('/api/v1/teams/1')
assert r.status_code == 200
set_config('account_visibility', 'private')
r = client.get('/api/v1/teams/1')
assert r.status_code == 200
set_config('account_visibility', 'admins')
r = client.get('/api/v1/teams/1')
assert r.status_code == 200
destroy_ctfd(app)
def test_api_team_patch_me_logged_in_admin_captain():
"""Can an admin patch /api/v1/teams/me if logged in as a team captain"""
app = create_ctfd(user_mode="teams")
with app.app_context():
admin = Users.query.filter_by(id=1).first()
user = gen_user(app.db)
team = gen_team(app.db)
team.members.append(user)
team.members.append(admin)
user.team_id = team.id
admin.team_id = team.id
# We want the admin to be the captain
team.captain_id = 1
app.db.session.commit()
with login_as_user(app, name="admin") as client:
r = client.patch('/api/v1/teams/me',
json={
"name": "team_name",
"affiliation": "changed"
})
assert r.status_code == 200
team = Teams.query.filter_by(id=1).first()
assert team.name == "team_name"
destroy_ctfd(app)
def test_team_size_limit():
"""Only team_size amount of members can join a team"""
app = create_ctfd(user_mode="teams")
with app.app_context():
set_config("team_size", 1)
# Create a team with only one member
team = gen_team(app.db, member_count=1)
team_id = team.id
register_user(app)
with login_as_user(app) as client:
r = client.get("/teams/join")
assert r.status_code == 200
# User should be blocked from joining
with client.session_transaction() as sess:
data = {
"name": "team_name",
"password": "******",
"nonce": sess.get("nonce"),
}
r = client.post("/teams/join", data=data)
resp = r.get_data(as_text=True)
assert len(Teams.query.filter_by(id=team_id).first().members) == 1
assert "already reached the team size limit of 1" in resp
# Can the user join after the size has been bumped
set_config("team_size", 2)
r = client.post("/teams/join", data=data)
resp = r.get_data(as_text=True)
assert len(Teams.query.filter_by(id=team_id).first().members) == 2
destroy_ctfd(app)
def test_api_team_get_admin():
"""Can a user get /api/v1/teams/<team_id> if teams are viewed by admins only"""
app = create_kmactf(user_mode="teams")
with app.app_context():
with login_as_user(app, "admin") as client:
gen_team(app.db)
set_config("account_visibility", "public")
r = client.get("/api/v1/teams/1")
assert r.status_code == 200
set_config("account_visibility", "private")
r = client.get("/api/v1/teams/1")
assert r.status_code == 200
set_config("account_visibility", "admins")
r = client.get("/api/v1/teams/1")
assert r.status_code == 200
destroy_kmactf(app)
def test_team_invite_codes():
app = create_ctfd(user_mode="teams")
with app.app_context():
team1 = gen_team(app.db, name="team1", email="*****@*****.**")
with freeze_time("2017-10-7 00:00:00"):
invite_code = team1.get_invite_code()
team = Teams.load_invite_code(invite_code)
assert team.id == team1.id
with freeze_time("2017-10-8 00:00:01"):
try:
team = Teams.load_invite_code(invite_code)
except TeamTokenExpiredException:
# This token should be expired and we shouldn't get a team object back
pass
else:
print("Token should have expired")
raise Exception
# Change team's password
team.password = "******"
app.db.session.commit()
with freeze_time("2017-10-7 00:00:00"):
try:
team = Teams.load_invite_code(invite_code)
except TeamTokenInvalidException:
pass
else:
print("Token should have been invalidated by password change")
raise Exception
destroy_ctfd(app)
def test_api_team_get_public():
"""Can a user get /api/v1/team/<team_id> if teams are public"""
app = create_kmactf(user_mode="teams")
with app.app_context():
with app.test_client() as client:
set_config("account_visibility", "public")
gen_team(app.db)
r = client.get("/api/v1/teams/1")
assert r.status_code == 200
set_config("account_visibility", "private")
r = client.get("/api/v1/teams/1")
assert r.status_code == 302
set_config("account_visibility", "admins")
r = client.get("/api/v1/teams/1")
assert r.status_code == 404
destroy_kmactf(app)
def test_api_user_without_team_challenge_interaction():
"""Can a user interact with challenges without having joined a team?"""
app = create_ctfd(user_mode="teams")
with app.app_context():
register_user(app)
gen_challenge(app.db)
gen_flag(app.db, 1)
with login_as_user(app) as client:
assert client.get('/api/v1/challenges').status_code == 403
assert client.get('/api/v1/challenges/1').status_code == 403
assert client.post('/api/v1/challenges/attempt',
json={
"challenge_id": 1,
"submission": "wrong_flag"
}).status_code == 403
# Create a user with a team
user = gen_user(app.db, email='*****@*****.**')
team = gen_team(app.db)
team.members.append(user)
user.team_id = team.id
app.db.session.commit()
# Test if user with team can interact with challenges
with login_as_user(app, name="user_name") as client:
assert client.get('/api/v1/challenges').status_code == 200
assert client.get('/api/v1/challenges/1').status_code == 200
assert client.post('/api/v1/challenges/attempt',
json={
"challenge_id": 1,
"submission": "flag"
}).status_code == 200
destroy_ctfd(app)
def test_hint_team_unlock():
"""Is a user's unlocked hint reflected on other team members"""
app = create_kmactf(user_mode="teams")
with app.app_context():
user = gen_user(app.db)
second_user = gen_user(app.db, name="user", email="*****@*****.**")
team = gen_team(app.db)
user.team_id = team.id
second_user.team_id = team.id
team.members.append(user)
team.members.append(second_user)
chal = gen_challenge(app.db)
gen_hint(app.db, chal.id, content="hint", cost=1, type="standard")
gen_award(app.db, 2, team.id)
app.db.session.commit()
with login_as_user(app, name="user_name") as client:
client.get("/api/v1/hints/1")
client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"})
client.get("/api/v1/hints/1")
with login_as_user(app) as second_client:
second_client.get("/api/v1/hints/1")
second_client.post("/api/v1/unlocks",
json={
"target": 1,
"type": "hints"
})
r = second_client.get("/api/v1/hints/1")
assert r.json["data"]["content"] == "hint"
standings = get_standings()
assert standings[0][2] == "team_name"
assert standings[0][3] == 99
destroy_kmactf(app)
def test_hint_team_unlocking_without_points():
"""Test that teams cannot enter negative point valuations from unlocking hints"""
app = create_ctfd(user_mode="teams")
with app.app_context():
user = gen_user(app.db)
second_user = gen_user(app.db,
name="user",
email="*****@*****.**")
team = gen_team(app.db)
user.team_id = team.id
second_user.team_id = team.id
team.members.append(user)
team.members.append(second_user)
chal = gen_challenge(app.db)
gen_hint(app.db, chal.id, content="hint", cost=1, type="standard")
app.db.session.commit()
with login_as_user(app, name="user_name") as client:
# Assert that we don't see a hint
r = client.get("/api/v1/hints/1")
assert r.get_json()["data"].get("content") is None
# Attempt to unlock the hint
r = client.post("/api/v1/unlocks",
json={
"target": 1,
"type": "hints"
})
assert r.status_code == 400
assert (r.get_json()["errors"]["score"] ==
"You do not have enough points to unlock this hint")
destroy_ctfd(app)
def test_api_team_remove_members():
"""Can a user remove /api/v1/teams/<team_id>/members only if admin"""
app = create_ctfd(user_mode="teams")
with app.app_context():
user1 = gen_user(app.db, name="user1", email="*****@*****.**") # ID 2
user2 = gen_user(app.db, name="user2", email="*****@*****.**") # ID 3
team = gen_team(app.db)
team.members.append(user1)
team.members.append(user2)
user1.team_id = team.id
user2.team_id = team.id
app.db.session.commit()
with login_as_user(app, name="user1") as client:
r = client.delete('/api/v1/teams/1/members', json={'id': 2})
assert r.status_code == 403
with login_as_user(app, name="admin") as client:
r = client.delete('/api/v1/teams/1/members', json={'id': 2})
assert r.status_code == 200
resp = r.get_json()
assert resp['data'] == [3]
r = client.delete('/api/v1/teams/1/members', json={'id': 2})
resp = r.get_json()
assert 'User is not part of this team' in resp['errors']['id']
assert r.status_code == 400
destroy_ctfd(app)
