def test_api_tag_detail_get(): """Can a user get /api/v1/tokens/<token_id>""" app = create_ctfd() with app.app_context(): user = gen_user(app.db, name="user") generate_user_token(user) with login_as_user(app) as client: r = client.get("/api/v1/tokens/1", json="") assert r.status_code == 200 resp = r.get_json() assert sorted(resp["data"].keys()) == sorted( TokenSchema().views["user"]) with login_as_user(app, "admin") as client: r = client.get("/api/v1/tokens/1", json="") assert r.status_code == 200 resp = r.get_json() assert sorted(resp["data"].keys()) == sorted( TokenSchema().views["admin"]) gen_user(app.db, name="user2", email="*****@*****.**") with login_as_user(app, "user2") as client: r = client.get("/api/v1/tokens/1", json="") assert r.status_code == 404 destroy_ctfd(app)
def get(self, token_id): if is_admin(): token = Tokens.query.filter_by(id=token_id).first_or_404() else: token = Tokens.query.filter_by( id=token_id, user_id=session["id"]).first_or_404() schema = TokenSchema(view=session.get("type", "user")) response = schema.dump(token) if response.errors: return {"success": False, "errors": response.errors}, 400 return {"success": True, "data": response.data}
def post(self): req = request.get_json() expiration = req.get("expiration") if expiration: expiration = datetime.datetime.strptime(expiration, "%Y-%m-%d") user = get_current_user() token = generate_user_token(user, expiration=expiration) # Explicitly use admin view so that user's can see the value of their token schema = TokenSchema(view="admin") response = schema.dump(token) if response.errors: return {"success": False, "errors": response.errors}, 400 return {"success": True, "data": response.data}
def get(self): user = get_current_user() tokens = Tokens.query.filter_by(user_id=user.id) response = TokenSchema(view=["id", "type", "expiration"], many=True).dump(tokens) if response.errors: return {"success": False, "errors": response.errors}, 400 return {"success": True, "data": response.data}