def users_listing():
page = abs(request.args.get("page", 1, type=int))
q = request.args.get("q")
if q:
field = request.args.get("field")
users = []
errors = get_errors()
if field == "id":
if q.isnumeric():
users = Users.query.filter(Users.id == q).order_by(
Users.id.asc()).all()
else:
users = []
errors.append("Your ID search term is not numeric")
elif field == "name":
users = (Users.query.filter(Users.name.like(
"%{}%".format(q))).order_by(Users.id.asc()).all())
elif field == "email":
users = (Users.query.filter(Users.email.like(
"%{}%".format(q))).order_by(Users.id.asc()).all())
elif field == "affiliation":
users = (Users.query.filter(
Users.affiliation.like("%{}%".format(q))).order_by(
Users.id.asc()).all())
elif field == "ip":
users = (Users.query.join(
Tracking, Users.id == Tracking.user_id).filter(
Tracking.ip.like("%{}%".format(q))).order_by(
Users.id.asc()).all())
return render_template(
"admin/users/users.html",
users=users,
pages=0,
curr_page=None,
q=q,
field=field,
)
page = abs(int(page))
results_per_page = 50
page_start = results_per_page * (page - 1)
page_end = results_per_page * (page - 1) + results_per_page
users = Users.query.order_by(Users.id.asc()).slice(page_start,
page_end).all()
count = db.session.query(db.func.count(Users.id)).first()[0]
pages = int(count / results_per_page) + (count % results_per_page > 0)
return render_template("admin/users/users.html",
users=users,
pages=pages,
curr_page=page)
def import_ctf():
backup = request.files["backup"]
errors = get_errors()
try:
import_ctf_util(backup)
except Exception as e:
print(e)
errors.append(repr(e))
if errors:
return errors[0], 500
else:
return redirect(url_for("admin.config"))
def new():
infos = get_infos()
errors = get_errors()
if request.method == "GET":
team_size_limit = get_config("team_size", default=0)
if team_size_limit:
plural = "" if team_size_limit == 1 else "s"
infos.append(
"Teams are limited to {limit} member{plural}".format(
limit=team_size_limit, plural=plural
)
)
return render_template("teams/new_team.html", infos=infos, errors=errors)
elif request.method == "POST":
teamname = request.form.get("name", "").strip()
passphrase = request.form.get("password", "").strip()
errors = get_errors()
user = get_current_user()
existing_team = Teams.query.filter_by(name=teamname).first()
if existing_team:
errors.append("That team name is already taken")
if not teamname:
errors.append("That team name is invalid")
if errors:
return render_template("teams/new_team.html", errors=errors)
team = Teams(name=teamname, password=passphrase, captain_id=user.id)
db.session.add(team)
db.session.commit()
user.team_id = team.id
db.session.commit()
return redirect(url_for("challenges.listing"))
def login():
errors = get_errors()
if request.method == "POST":
name = request.form["name"]
captcha_response = request.form['g-recaptcha-response']
if not is_human(captcha_response):
# This user exists but the password is wrong
error_captcha = "The response parameter is missing"
return render_template("login.html", error_captcha=error_captcha)
# Check if the user submitted an email address or a team name
if validators.validate_email(name) is True:
user = Users.query.filter_by(email=name).first()
else:
user = Users.query.filter_by(name=name).first()
if user:
if user and verify_password(request.form["password"],
user.password):
session.regenerate()
login_user(user)
log("logins", "[{date}] {ip} - {name} logged in")
db.session.close()
if request.args.get("next") and validators.is_safe_url(
request.args.get("next")):
return redirect(request.args.get("next"))
return redirect(url_for("challenges.listing"))
else:
# This user exists but the password is wrong
log("logins",
"[{date}] {ip} - submitted invalid password for {name}")
errors.append("Your username or password is incorrect")
db.session.close()
return render_template("login.html", errors=errors)
else:
# This user just doesn't exist
log("logins",
"[{date}] {ip} - submitted invalid account information")
errors.append("Your username or password is incorrect")
db.session.close()
return render_template("login.html", errors=errors)
else:
db.session.close()
return render_template("login.html", errors=errors)
def join():
infos = get_infos()
errors = get_errors()
if request.method == "GET":
team_size_limit = get_config("team_size", default=0)
if team_size_limit:
plural = "" if team_size_limit == 1 else "s"
infos.append(
"Teams are limited to {limit} member{plural}".format(
limit=team_size_limit, plural=plural
)
)
return render_template("teams/join_team.html", infos=infos, errors=errors)
if request.method == "POST":
teamname = request.form.get("name")
passphrase = request.form.get("password", "").strip()
team = Teams.query.filter_by(name=teamname).first()
user = get_current_user()
if team and verify_password(passphrase, team.password):
team_size_limit = get_config("team_size", default=0)
if team_size_limit and len(team.members) >= team_size_limit:
errors.append(
"{name} has already reached the team size limit of {limit}".format(
name=team.name, limit=team_size_limit
)
)
return render_template(
"teams/join_team.html", infos=infos, errors=errors
)
user.team_id = team.id
db.session.commit()
if len(team.members) == 1:
team.captain_id = user.id
db.session.commit()
return redirect(url_for("challenges.listing"))
else:
errors.append("That information is incorrect")
return render_template("teams/join_team.html", infos=infos, errors=errors)
def public(team_id):
errors = get_errors()
team = Teams.query.filter_by(id=team_id, banned=False, hidden=False).first_or_404()
solves = team.get_solves()
awards = team.get_awards()
place = team.place
score = team.score
if errors:
return render_template("teams/public.html", team=team, errors=errors)
return render_template(
"teams/public.html",
solves=solves,
awards=awards,
team=team,
score=score,
place=place,
score_frozen=config.is_scoreboard_frozen(),
)
def setup():
errors = get_errors()
if not config.is_setup():
if not session.get("nonce"):
session["nonce"] = generate_nonce()
if request.method == "POST":
# General
ctf_name = request.form.get("ctf_name")
ctf_description = request.form.get("ctf_description")
user_mode = request.form.get("user_mode", USERS_MODE)
set_config("ctf_name", ctf_name)
set_config("ctf_description", ctf_description)
set_config("user_mode", user_mode)
# Style
theme = request.form.get("ctf_theme", "core")
set_config("ctf_theme", theme)
theme_color = request.form.get("theme_color")
theme_header = get_config("theme_header")
if theme_color and bool(theme_header) is False:
# Uses {{ and }} to insert curly braces while using the format method
css = (
'<style id="theme-color">\n'
":root {{--theme-color: {theme_color};}}\n"
".navbar{{background-color: var(--theme-color) !important;}}\n"
".jumbotron{{background-color: var(--theme-color) !important;}}\n"
"</style>\n").format(theme_color=theme_color)
set_config("theme_header", css)
# DateTime
start = request.form.get("start")
end = request.form.get("end")
set_config("start", start)
set_config("end", end)
set_config("freeze", None)
# Administration
name = request.form["name"]
email = request.form["email"]
password = request.form["password"]
name_len = len(name) == 0
names = Users.query.add_columns("name",
"id").filter_by(name=name).first()
emails = (Users.query.add_columns(
"email", "id").filter_by(email=email).first())
pass_short = len(password) == 0
pass_long = len(password) > 128
valid_email = validators.validate_email(request.form["email"])
team_name_email_check = validators.validate_email(name)
if not valid_email:
errors.append("Please enter a valid email address")
if names:
errors.append("That user name is already taken")
if team_name_email_check is True:
errors.append("Your user name cannot be an email address")
if emails:
errors.append("That email has already been used")
if pass_short:
errors.append("Pick a longer password")
if pass_long:
errors.append("Pick a shorter password")
if name_len:
errors.append("Pick a longer user name")
if len(errors) > 0:
return render_template(
"setup.html",
errors=errors,
name=name,
email=email,
password=password,
state=serialize(generate_nonce()),
)
admin = Admins(name=name,
email=email,
password=password,
type="admin",
hidden=True)
# Index page
index = """<div>
<div style="width: 108.6%;">
<img class="w-100 mx-auto d-block" src="themes/core/static/img/logo1.PNG" />
<img class="w-100 mx-auto d-block" src="themes/core/static/img/logo4.PNG" />
<img class="w-100 mx-auto d-block" src="themes/core/static/img/logo2.PNG" />
</div>
</div>""".format(request.script_root)
page = Pages(title=None, route="index", content=index, draft=False)
# Visibility
set_config("challenge_visibility", "private")
set_config("registration_visibility", "public")
set_config("score_visibility", "public")
set_config("account_visibility", "public")
# Verify emails
set_config("verify_emails", None)
set_config("mail_server", None)
set_config("mail_port", None)
set_config("mail_tls", None)
set_config("mail_ssl", None)
set_config("mail_username", None)
set_config("mail_password", None)
set_config("mail_useauth", None)
# Set up default emails
set_config("verification_email_subject",
DEFAULT_VERIFICATION_EMAIL_SUBJECT)
set_config("verification_email_body",
DEFAULT_VERIFICATION_EMAIL_BODY)
set_config(
"successful_registration_email_subject",
DEFAULT_SUCCESSFUL_REGISTRATION_EMAIL_SUBJECT,
)
set_config(
"successful_registration_email_body",
DEFAULT_SUCCESSFUL_REGISTRATION_EMAIL_BODY,
)
set_config("user_creation_email_subject",
DEFAULT_USER_CREATION_EMAIL_SUBJECT)
set_config("user_creation_email_body",
DEFAULT_USER_CREATION_EMAIL_BODY)
set_config("password_reset_subject",
DEFAULT_PASSWORD_RESET_SUBJECT)
set_config("password_reset_body", DEFAULT_PASSWORD_RESET_BODY)
set_config(
"password_change_alert_subject",
"Password Change Confirmation for {ctf_name}",
)
set_config(
"password_change_alert_body",
("Your password for {ctf_name} has been changed.\n\n"
"If you didn't request a password change you can reset your password here: {url}"
),
)
set_config("setup", True)
try:
db.session.add(admin)
db.session.commit()
except IntegrityError:
db.session.rollback()
try:
db.session.add(page)
db.session.commit()
except IntegrityError:
db.session.rollback()
login_user(admin)
db.session.close()
with app.app_context():
cache.clear()
return redirect(url_for("views.static_html"))
return render_template(
"setup.html",
nonce=session.get("nonce"),
state=serialize(generate_nonce()),
themes=config.get_themes(),
)
return redirect(url_for("views.static_html"))
def register():
errors = get_errors()
if request.method == "POST":
name = request.form.get("name", "").strip()
email_address = request.form.get("email", "").strip().lower()
password = request.form.get("password", "").strip()
name_len = len(name) == 0
names = Users.query.add_columns("name",
"id").filter_by(name=name).first()
emails = (Users.query.add_columns(
"email", "id").filter_by(email=email_address).first())
pass_short = len(password) == 0
pass_long = len(password) > 128
valid_email = validators.validate_email(email_address)
team_name_email_check = validators.validate_email(name)
if not valid_email:
errors.append("Please enter a valid email address")
if email.check_email_is_whitelisted(email_address) is False:
errors.append(
"Only email addresses under {domains} may register".format(
domains=get_config("domain_whitelist")))
if names:
errors.append("That user name is already taken")
if team_name_email_check is True:
errors.append("Your user name cannot be an email address")
if emails:
errors.append("That email has already been used")
if pass_short:
errors.append("Pick a longer password")
if pass_long:
errors.append("Pick a shorter password")
if name_len:
errors.append("Pick a longer user name")
if len(errors) > 0:
return render_template(
"register.html",
errors=errors,
name=request.form["name"],
email=request.form["email"],
password=request.form["password"],
)
else:
with app.app_context():
user = Users(name=name, email=email_address, password=password)
db.session.add(user)
db.session.commit()
db.session.flush()
login_user(user)
if config.can_send_mail() and get_config(
"verify_emails"
): # Confirming users is enabled and we can send email.
log(
"registrations",
format=
"[{date}] {ip} - {name} registered (UNCONFIRMED) with {email}",
)
email.verify_email_address(user.email)
db.session.close()
return redirect(url_for("auth.confirm"))
else: # Don't care about confirming users
if (
config.can_send_mail()
): # We want to notify the user that they have registered.
email.successful_registration_notification(user.email)
log("registrations", "[{date}] {ip} - {name} registered with {email}")
db.session.close()
if is_teams_mode():
return redirect(url_for("teams.private"))
return redirect(url_for("challenges.listing"))
else:
return render_template("register.html", errors=errors)
def reset_password(data=None):
if data is not None:
try:
email_address = unserialize(data, max_age=1800)
except (BadTimeSignature, SignatureExpired):
return render_template("reset_password.html",
errors=["Your link has expired"])
except (BadSignature, TypeError, base64.binascii.Error):
return render_template("reset_password.html",
errors=["Your reset token is invalid"])
if request.method == "GET":
return render_template("reset_password.html", mode="set")
if request.method == "POST":
password = request.form.get("password", "").strip()
user = Users.query.filter_by(email=email_address).first_or_404()
if user.oauth_id:
return render_template(
"reset_password.html",
errors=[
"Your account was registered via an authentication provider and does not have an associated password. Please login via your authentication provider."
],
)
pass_short = len(password) == 0
if pass_short:
return render_template(
"reset_password.html",
errors=["Please pick a longer password"])
user.password = password
db.session.commit()
log(
"logins",
format="[{date}] {ip} - successful password reset for {name}",
name=user.name,
)
db.session.close()
email.password_change_alert(user.email)
return redirect(url_for("auth.login"))
if request.method == "POST":
email_address = request.form["email"].strip()
user = Users.query.filter_by(email=email_address).first()
get_errors()
if config.can_send_mail() is False:
return render_template(
"reset_password.html",
errors=[
"Email could not be sent due to server misconfiguration"
],
)
if not user:
return render_template(
"reset_password.html",
errors=[
"If that account exists you will receive an email, please check your inbox"
],
)
if user.oauth_id:
return render_template(
"reset_password.html",
errors=[
"The email address associated with this account was registered via an authentication provider and does not have an associated password. Please login via your authentication provider."
],
)
email.forgot_password(email_address)
return render_template(
"reset_password.html",
errors=[
"If that account exists you will receive an email, please check your inbox"
],
)
return render_template("reset_password.html")