def test_api_tag_detail_get():
"""Can a user get /api/v1/tokens/<token_id>"""
app = create_ctfd()
with app.app_context():
user = gen_user(app.db, name="user")
generate_user_token(user)
with login_as_user(app) as client:
r = client.get("/api/v1/tokens/1", json="")
assert r.status_code == 200
resp = r.get_json()
assert sorted(resp["data"].keys()) == sorted(
TokenSchema().views["user"])
with login_as_user(app, "admin") as client:
r = client.get("/api/v1/tokens/1", json="")
assert r.status_code == 200
resp = r.get_json()
assert sorted(resp["data"].keys()) == sorted(
TokenSchema().views["admin"])
gen_user(app.db, name="user2", email="*****@*****.**")
with login_as_user(app, "user2") as client:
r = client.get("/api/v1/tokens/1", json="")
assert r.status_code == 404
destroy_ctfd(app)
def get(self, token_id):
if is_admin():
token = Tokens.query.filter_by(id=token_id).first_or_404()
else:
token = Tokens.query.filter_by(
id=token_id, user_id=session["id"]).first_or_404()
schema = TokenSchema(view=session.get("type", "user"))
response = schema.dump(token)
if response.errors:
return {"success": False, "errors": response.errors}, 400
return {"success": True, "data": response.data}
def post(self):
req = request.get_json()
expiration = req.get("expiration")
if expiration:
expiration = datetime.datetime.strptime(expiration, "%Y-%m-%d")
user = get_current_user()
token = generate_user_token(user, expiration=expiration)
# Explicitly use admin view so that user's can see the value of their token
schema = TokenSchema(view="admin")
response = schema.dump(token)
if response.errors:
return {"success": False, "errors": response.errors}, 400
return {"success": True, "data": response.data}
def get(self):
user = get_current_user()
tokens = Tokens.query.filter_by(user_id=user.id)
response = TokenSchema(view=["id", "type", "expiration"],
many=True).dump(tokens)
if response.errors:
return {"success": False, "errors": response.errors}, 400
return {"success": True, "data": response.data}