def get_challenges():
if not utils.is_admin():
if not utils.ctftime():
if utils.view_after_ctf():
pass
else:
return []
if utils.user_can_view_challenges() and (utils.ctf_started() or utils.is_admin()):
chals = db.session.query(
Challenges.id,
Challenges.name,
Challenges.category
).filter(or_(Challenges.hidden != True, Challenges.hidden == None)).all()
jchals = []
for x in chals:
jchals.append({
'id':x.id,
'name':x.name,
'category':x.category
})
# Sort into groups
categories = set(map(lambda x:x['category'], jchals))
jchals = [j for c in categories for j in jchals if j['category'] == c]
return jchals
return []
def challenges_view():
infos = []
errors = []
start = utils.get_config('start') or 0
end = utils.get_config('end') or 0
if utils.ctf_paused():
infos.append('{} is paused'.format(utils.ctf_name()))
if not utils.is_admin(): # User is not an admin
if not utils.ctftime():
# It is not CTF time
if utils.view_after_ctf(): # But we are allowed to view after the CTF ends
pass
else: # We are NOT allowed to view after the CTF ends
if utils.get_config('start') and not utils.ctf_started():
errors.append('{} has not started yet'.format(utils.ctf_name()))
if (utils.get_config('end') and utils.ctf_ended()) and not utils.view_after_ctf():
errors.append('{} has ended'.format(utils.ctf_name()))
return render_template('challenges.html', infos=infos, errors=errors, start=int(start), end=int(end))
if utils.get_config('verify_emails'):
if utils.authed():
if utils.is_admin() is False and utils.is_verified() is False: # User is not confirmed
return redirect(url_for('auth.confirm_user'))
if utils.user_can_view_challenges(): # Do we allow unauthenticated users?
if utils.get_config('start') and not utils.ctf_started():
errors.append('{} has not started yet'.format(utils.ctf_name()))
if (utils.get_config('end') and utils.ctf_ended()) and not utils.view_after_ctf():
errors.append('{} has ended'.format(utils.ctf_name()))
return render_template('challenges.html', infos=infos, errors=errors, start=int(start), end=int(end))
else:
return redirect(url_for('auth.login', next='challenges'))
def chals_contest(contestid):
contest = Contests.query.filter_by(id=contestid).first()
if not utils.is_admin():
if not utils.ctftime(contest=contest):
if utils.view_after_ctf(contest=contest):
pass
else:
return redirect(url_for('views.static_html'))
if utils.user_can_view_challenges(contest=contest) and (
utils.ctf_started(contest=contest) or utils.is_admin()):
chals = Challenges.query.filter(
and_(or_(Challenges.hidden != True, Challenges.hidden == None),
Challenges.contestid == contestid)).order_by(
Challenges.value).all()
json = {'game': []}
for x in chals:
tags = [
tag.tag for tag in Tags.query.add_columns('tag').filter_by(
chal=x.id).all()
]
files = [
str(f.location)
for f in Files.query.filter_by(chal=x.id).all()
]
unlocked_hints = set([
u.itemid for u in Unlocks.query.filter_by(model='hints',
teamid=session['id'])
])
hints = []
for hint in Hints.query.filter_by(chal=x.id).all():
if hint.id in unlocked_hints or utils.ctf_ended():
hints.append({
'id': hint.id,
'cost': hint.cost,
'hint': hint.hint
})
else:
hints.append({'id': hint.id, 'cost': hint.cost})
# hints = [{'id':hint.id, 'cost':hint.cost} for hint in Hints.query.filter_by(chal=x.id).all()]
chal_type = get_chal_class(x.type)
json['game'].append({
'id': x.id,
'type': chal_type.name,
'name': x.name,
'value': x.value,
'description': x.description,
'category': x.category,
'files': files,
'tags': tags,
'hints': hints
})
db.session.close()
return jsonify(json)
else:
db.session.close()
return redirect(url_for('auth.login', next='chals'))
def chals():
if not utils.is_admin():
if not utils.ctftime():
if utils.view_after_ctf():
pass
else:
abort(403)
if utils.user_can_view_challenges() and (utils.ctf_started()
or utils.is_admin()):
teamid = session.get('id')
chals = Challenges.query.filter(
or_(Challenges.hidden != True,
Challenges.hidden == None)).order_by(Challenges.value).all()
json = {'game': []}
for x in chals:
tags = [
tag.tag for tag in Tags.query.add_columns('tag').filter_by(
chal=x.id).all()
]
files = [
str(f.location)
for f in Files.query.filter_by(chal=x.id).all()
]
unlocked_hints = set([
u.itemid
for u in Unlocks.query.filter_by(model='hints', teamid=teamid)
])
hints = []
for hint in Hints.query.filter_by(chal=x.id).all():
if hint.id in unlocked_hints or utils.ctf_ended():
hints.append({
'id': hint.id,
'cost': hint.cost,
'hint': hint.hint
})
else:
hints.append({'id': hint.id, 'cost': hint.cost})
chal_type = get_chal_class(x.type)
json['game'].append({
'id': x.id,
'type': chal_type.name,
'name': x.name,
'value': x.value,
'description': x.description,
'category': x.category,
'files': files,
'tags': tags,
'hints': hints,
'template': chal_type.templates['modal'],
'script': chal_type.scripts['modal'],
})
db.session.close()
return jsonify(json)
else:
db.session.close()
abort(403)
def hints_view(hintid):
if utils.ctf_started() is False:
if utils.is_admin() is False:
abort(403)
hint = Hints.query.filter_by(id=hintid).first_or_404()
chal = Challenges.query.filter_by(id=hint.chal).first()
unlock = Unlocks.query.filter_by(model='hints',
itemid=hintid,
teamid=session['id']).first()
if request.method == 'GET':
if unlock:
return jsonify({
'hint': hint.hint,
'chal': hint.chal,
'cost': hint.cost
})
else:
return jsonify({'chal': hint.chal, 'cost': hint.cost})
elif request.method == 'POST':
if unlock is None: # The user does not have an unlock.
if utils.ctftime() or (
utils.ctf_ended()
and utils.view_after_ctf()) or utils.is_admin() is True:
# It's ctftime or the CTF has ended (but we allow views after)
team = Teams.query.filter_by(id=session['id']).first()
if team.score() < hint.cost:
return jsonify({'errors': get_tip('NOT_ENOUGH_POINT')})
unlock = Unlocks(model='hints',
teamid=session['id'],
itemid=hint.id)
award = Awards(teamid=session['id'],
name=text_type(
get_tip('HIT_FOR').format(chal.name)),
value=(-hint.cost))
db.session.add(unlock)
db.session.add(award)
db.session.commit()
json_data = {
'hint': hint.hint,
'chal': hint.chal,
'cost': hint.cost
}
db.session.close()
return jsonify(json_data)
elif utils.ctf_ended(): # The CTF has ended. No views after.
abort(403)
else: # The user does have an unlock, we should give them their hint.
json_data = {
'hint': hint.hint,
'chal': hint.chal,
'cost': hint.cost
}
db.session.close()
return jsonify(json_data)
def chals():
if not is_admin():
if not ctftime():
if view_after_ctf():
pass
else:
return redirect('/')
if can_view_challenges():
chals = Challenges.query.add_columns(
'id', 'name', 'value', 'description',
'category').order_by(Challenges.value).all()
json = {'game': []}
for x in chals:
files = [
str(f.location)
for f in Files.query.filter_by(chal=x.id).all()
]
json['game'].append({
'id': x[1],
'name': x[2],
'value': x[3],
'description': x[4],
'category': x[5],
'files': files
})
db.session.close()
return jsonify(json)
else:
db.session.close()
return redirect(url_for('auth.login', next='chals'))
def file_handler(path):
f = Files.query.filter_by(location=path).first_or_404()
chal = Challenges.query.filter_by(id=f.chal).first()
s3, bucket = get_s3_conn(app)
if utils.is_admin():
key = f.location
url = s3.generate_presigned_url('get_object',
Params={
'Bucket': bucket,
'Key': key,
})
return redirect(url)
if utils.user_can_view_challenges():
if not utils.ctftime():
if not utils.view_after_ctf():
abort(403)
if chal.hidden:
abort(403)
key = f.location
url = s3.generate_presigned_url('get_object',
Params={
'Bucket': bucket,
'Key': key,
})
return redirect(url)
else:
return redirect(url_for('auth.login'))
def require_verified_emails_wrapper(*args, **kwargs):
if utils.get_config('verify_emails'):
if utils.authed():
if utils.is_admin() is False and utils.is_verified(
) is False: # User is not confirmed
return redirect(url_for('auth.confirm_user'))
return f(*args, **kwargs)
def challenges():
if not is_admin() and not ctftime_view():
return redirect('/')
if can_view_challenges():
return render_template('chals.html', ctftime=ctftime_submit())
else:
return redirect(url_for('login', next="challenges"))
def solves(teamid=None):
if teamid is None:
if is_admin():
solves = Solves.query.filter_by(teamid=session['id']).all()
elif authed():
solves = Solves.query.join(Teams,
Solves.teamid == Teams.id).filter(
Solves.teamid == session['id'],
Teams.banned == None).all()
else:
return redirect(url_for('auth.login', next='solves'))
else:
solves = Solves.query.filter_by(teamid=teamid).all()
db.session.close()
json = {'solves': []}
for x in solves:
json['solves'].append({
'chal': x.chal.name,
'chalid': x.chalid,
'team': x.teamid,
'value': x.chal.value,
'category': x.chal.category,
'time': unix_time(x.date)
})
return jsonify(json)
def solves(teamid=None):
solves = None
awards = None
if teamid is None:
if is_admin():
solves = Solves.query.filter_by(teamid=session['id']).all()
elif authed():
solves = Solves.query.join(Teams, Solves.teamid == Teams.id).filter(Solves.teamid==session['id'], Teams.banned==None).all()
else:
return redirect(url_for('auth.login', next='solves'))
else:
solves = Solves.query.filter_by(teamid=teamid).all()
awards = Awards.query.filter_by(teamid=teamid).all()
db.session.close()
json = {'solves':[]}
for solve in solves:
json['solves'].append({
'chal': solve.chal.name,
'chalid': solve.chalid,
'team': solve.teamid,
'value': solve.chal.value,
'category': solve.chal.category,
'time': unix_time(solve.date)
})
for award in awards:
json['solves'].append({
'chal': award.name,
'chalid': None,
'team': award.teamid,
'value': award.value,
'category': award.category,
'time': unix_time(award.date)
})
json['solves'].sort(key=lambda k: k['time'])
return jsonify(json)
def challenges_view():
errors = []
start = utils.get_config('start') or 0
end = utils.get_config('end') or 0
if not utils.is_admin(): # User is not an admin
if not utils.ctftime():
# It is not CTF time
if utils.view_after_ctf(): # But we are allowed to view after the CTF ends
pass
else: # We are NOT allowed to view after the CTF ends
if utils.get_config('start') and not utils.ctf_started():
errors.append('{} has not started yet'.format(utils.ctf_name()))
if (utils.get_config('end') and utils.ctf_ended()) and not utils.view_after_ctf():
errors.append('{} has ended'.format(utils.ctf_name()))
return render_template('chals.html', errors=errors, start=int(start), end=int(end))
if utils.get_config('verify_emails') and not utils.is_verified(): # User is not confirmed
return redirect(url_for('auth.confirm_user'))
if utils.user_can_view_challenges(): # Do we allow unauthenticated users?
if utils.get_config('start') and not utils.ctf_started():
errors.append('{} has not started yet'.format(utils.ctf_name()))
if (utils.get_config('end') and utils.ctf_ended()) and not utils.view_after_ctf():
errors.append('{} has ended'.format(utils.ctf_name()))
return render_template('chals.html', errors=errors, start=int(start), end=int(end))
else:
return redirect(url_for('auth.login', next='challenges'))
def chals():
if not is_admin():
if not ctftime():
if view_after_ctf():
pass
else:
return redirect(url_for('views.index'))
if user_can_view_challenges() and (ctf_started() or is_admin()):
chals = Challenges.query.filter(
or_(Challenges.hidden != True,
Challenges.hidden == None)).order_by(Challenges.value).all()
json = {'game': []}
for chal in chals:
tags = [
tag.tag for tag in Tags.query.filter_by(chal=chal.id).all()
]
files = [
str(f.location)
for f in Files.query.filter_by(chal=chal.id).all()
]
hints = [{
'title': hint.title,
'description': hint.description
} for hint in Announcements.query.filter_by(
chalid=chal.id).order_by(Announcements.date.asc()).all()]
notepad = Notepads.query.filter_by(teamid=session['id'],
chalid=chal.id).first()
notepad = notepad.content if notepad else ''
json['game'].append({
'id': chal.id,
'name': chal.name,
'value': chal.value,
'description': chal.description,
'category': chal.category,
'down': chal.down,
'files': files,
'tags': tags,
'hints': hints,
'notepad': notepad,
})
db.session.close()
return jsonify(json)
else:
db.session.close()
return redirect(url_for('auth.login', next='chals'))
def user_can_get_config():
if utils.is_admin():
return True
if not utils.authed():
return False
if not utils.user_can_view_challenges():
return False
return True
def team(teamid):
if utils.get_config('workshop_mode'):
abort(404)
if utils.get_config('view_scoreboard_if_utils.authed') and not utils.authed():
return redirect(url_for('auth.login', next=request.path))
infos = []
errors = []
if utils.ctf_paused():
infos.append('{} is paused'.format(utils.ctf_name()))
if not utils.ctftime():
# It is not CTF time
if utils.view_after_ctf(): # But we are allowed to view after the CTF ends
pass
else: # We are NOT allowed to view after the CTF ends
if utils.get_config('start') and not utils.ctf_started():
errors.append('{} has not started yet'.format(utils.ctf_name()))
if (utils.get_config('end') and utils.ctf_ended()) and not utils.view_after_ctf():
errors.append('{} has ended'.format(utils.ctf_name()))
freeze = utils.get_config('freeze')
user = Teams.query.filter_by(id=teamid).first_or_404()
solves = Solves.query.filter_by(teamid=teamid)
awards = Awards.query.filter_by(teamid=teamid)
place = user.place()
score = user.score()
if freeze:
freeze = utils.unix_time_to_utc(freeze)
if teamid != session.get('id'):
solves = solves.filter(Solves.date < freeze)
awards = awards.filter(Awards.date < freeze)
solves = solves.all()
awards = awards.all()
db.session.close()
if utils.hide_scores() and teamid != session.get('id'):
errors.append('Scores are currently hidden')
else:
# banned is a synonym for hidden :/
if not utils.is_admin() and (user.admin or user.banned):
errors.append('Scores are currently hidden')
if errors:
return render_template('team.html', team=user, infos=infos, errors=errors)
if request.method == 'GET':
return render_template('team.html', solves=solves, awards=awards, team=user, score=score, place=place, score_frozen=utils.is_scoreboard_frozen(), infos=infos)
elif request.method == 'POST':
json = {'solves': []}
for x in solves:
json['solves'].append({'id': x.id, 'chal': x.chalid, 'team': x.teamid})
return jsonify(json)
def chal_view_linearunlocked(chal_id):
teamid = session.get('id')
chal = Challenges.query.filter_by(id=chal_id).first_or_404()
chal_class = get_chal_class(chal.type)
# Get solved challenge ids
solves = []
if utils.is_admin():
solves = Solves.query.filter_by(teamid=session['id']).all()
elif utils.user_can_view_challenges():
if utils.authed():
solves = Solves.query\
.join(Teams, Solves.teamid == Teams.id)\
.filter(Solves.teamid == session['id'])\
.all()
solve_ids = []
for solve in solves:
solve_ids.append(solve.chalid)
# Return nothing if there is at least one linear unlocking requirement not solved
lu_entries = LinearUnlockingEntry.query.filter_by(chalid=chal.id).all()
for lu_entry in lu_entries:
if lu_entry.requires_chalid > -1 and lu_entry.requires_chalid not in solve_ids:
return jsonify([])
tags = [
tag.tag for tag in Tags.query.add_columns('tag').filter_by(
chal=chal.id).all()
]
files = [
str(f.location) for f in Files.query.filter_by(chal=chal.id).all()
]
unlocked_hints = set([
u.itemid
for u in Unlocks.query.filter_by(model='hints', teamid=teamid)
])
hints = []
for hint in Hints.query.filter_by(chal=chal.id).all():
if hint.id in unlocked_hints or utils.ctf_ended():
hints.append({
'id': hint.id,
'cost': hint.cost,
'hint': hint.hint
})
else:
hints.append({'id': hint.id, 'cost': hint.cost})
challenge, response = chal_class.read(challenge=chal)
response['files'] = files
response['tags'] = tags
response['hints'] = hints
db.session.close()
return jsonify(response)
def solves(teamid=None):
solves = None
awards = None
if teamid is None:
if utils.is_admin():
solves = Solves.query.filter_by(teamid=session['id']).all()
elif utils.user_can_view_challenges():
if utils.authed():
solves = Solves.query.join(Teams,
Solves.teamid == Teams.id).filter(
Solves.teamid == session['id'],
Teams.banned == False).all()
else:
return jsonify({'solves': []})
else:
return redirect(url_for('auth.login', next='solves'))
else:
if utils.hide_scores():
# Use empty values to hide scores
solves = []
awards = []
else:
solves = Solves.query.filter_by(teamid=teamid)
awards = Awards.query.filter_by(teamid=teamid)
freeze = utils.get_config('freeze')
if freeze:
freeze = utils.unix_time_to_utc(freeze)
if teamid != session.get('id'):
solves = solves.filter(Solves.date < freeze)
awards = awards.filter(Awards.date < freeze)
solves = solves.all()
awards = awards.all()
db.session.close()
json = {'solves': []}
for solve in solves:
json['solves'].append({
'chal': solve.chal.name,
'chalid': solve.chalid,
'team': solve.teamid,
'value': solve.chal.value,
'category': solve.chal.category,
'time': utils.unix_time(solve.date)
})
if awards:
for award in awards:
json['solves'].append({
'chal': award.name,
'chalid': None,
'team': award.teamid,
'value': award.value,
'category': award.category or "Award",
'time': utils.unix_time(award.date)
})
json['solves'].sort(key=lambda k: k['time'])
return jsonify(json)
def file_handler(path):
f = Files.query.filter_by(location=path).first_or_404()
if f.chal:
if not is_admin():
if not ctftime():
if view_after_ctf() and ctf_started():
pass
else:
abort(403)
return send_file(os.path.join(app.root_path, 'uploads', f.location))
def file_handler(path):
f = Files.query.filter_by(location=path).first_or_404()
if f.chal:
if not utils.is_admin():
if not utils.ctftime():
if utils.view_after_ctf() and utils.ctf_started():
pass
else:
abort(403)
upload_folder = os.path.join(app.root_path, app.config['UPLOAD_FOLDER'])
return send_file(safe_join(upload_folder, f.location))
def challenges_view():
if not is_admin():
if not ctftime():
if view_after_ctf():
pass
else:
return redirect('/')
if can_view_challenges():
return render_template('chals.html', ctftime=ctftime())
else:
return redirect(url_for('auth.login', next='challenges'))
def file_handler(path):
f = Files.query.filter_by(location=path).first_or_404()
if f.chal:
if not utils.is_admin():
if not utils.ctftime():
if utils.view_after_ctf() and utils.ctf_started():
pass
else:
abort(403)
upload_folder = os.path.join(app.root_path, app.config['UPLOAD_FOLDER'])
return send_file(safe_join(upload_folder, f.location))
def challenges_view():
if not is_admin():
if not ctftime():
if view_after_ctf():
pass
else:
return redirect('/')
if can_view_challenges():
return render_template('chals.html', ctftime=ctftime())
else:
return redirect(url_for('login', next="challenges"))
def user_can_get_config():
if utils.is_admin():
return True
if not (utils.authed() and utils.is_verified()):
return False
if not utils.user_can_view_challenges():
return False
if not (utils.ctf_started() and
(utils.ctf_ended() or utils.view_after_ctf())):
return False
return True
def solves(teamid=None):
if teamid is None:
if is_admin() or user_can_view_challenges():
teamid = session['id']
else:
return redirect(url_for('auth.login', next='solves'))
teamid = int(teamid)
user_solves = []
for solve, value in get_solves_and_value(is_admin=is_admin()):
if solve.teamid == teamid:
j = {
'team': solve.teamid,
'value': value,
'time': unix_time(solve.date),
}
if isinstance(solve, Solves) and solve.teamid == session['id']:
mark = Marks.query.filter_by(teamid=session['id'],
chalid=solve.chalid).first()
if mark:
j.update({'mark': mark.mark, 'feedback': mark.feedback})
else:
j.update({'mark': None, 'feedback': None})
if isinstance(solve, Solves):
j['chalid'] = solve.chalid
j['chal'] = solve.chal.name
j['category'] = solve.chal.category
elif isinstance(solve, Awards):
j['chalid'] = None
j['chal'] = solve.name
j['category'] = solve.category
else:
raise RuntimeError("Objects returned by get_solves_and_value "
"should be Solves or Awards")
user_solves.append(j)
user_solves = sorted(user_solves, key=operator.itemgetter('time'))
return jsonify({'solves': user_solves})
def challenges_view():
if not is_admin():
if not ctftime():
if view_after_ctf():
pass
else:
return redirect(url_for('views.static_html'))
if get_config('verify_emails') and not is_verified():
return redirect(url_for('auth.confirm_user'))
if can_view_challenges():
return render_template('chals.html', ctftime=ctftime())
else:
return redirect(url_for('auth.login', next='challenges'))
def challenges_view():
if not is_admin():
if not ctftime():
if view_after_ctf():
pass
else:
return redirect('/')
if get_config('verify_emails') and not is_verified():
return redirect(url_for('auth.confirm_user'))
if can_view_challenges():
return render_template('chals.html', ctftime=ctftime())
else:
return redirect(url_for('auth.login', next='challenges'))
def competitions():
if not utils.is_admin():
if not utils.ctftime():
if utils.view_after_ctf():
pass
else:
abort(403)
if utils.user_can_view_challenges() and (utils.ctf_started()
or utils.is_admin()):
competitions = Competitions.query.all()
json = {'competitions': []}
for x in competitions:
json['competitions'].append({
'id': x.id,
'title': x.title,
'description': x.description
})
db.session.close()
return jsonify(json)
else:
db.session.close()
abort(403)
def chals():
if not is_admin():
if not ctftime():
if view_after_ctf():
pass
else:
return redirect(url_for('views.static_html'))
if user_can_view_challenges() and (ctf_started() or is_admin()):
chals = Challenges.query.filter(
or_(Challenges.hidden != True,
Challenges.hidden == None)).add_columns(
'id', 'name', 'value', 'description',
'category').order_by(Challenges.value).all()
json = {'game': []}
for x in chals:
tags = [
tag.tag for tag in Tags.query.add_columns('tag').filter_by(
chal=x[1]).all()
]
files = [
str(f.location)
for f in Files.query.filter_by(chal=x.id).all()
]
json['game'].append({
'id': x[1],
'name': x[2],
'value': x[3],
'description': x[4],
'category': x[5],
'files': files,
'tags': tags
})
db.session.close()
return jsonify(json)
else:
db.session.close()
return redirect(url_for('auth.login', next='chals'))
def chals():
if not utils.is_admin():
if not utils.ctftime():
if utils.view_after_ctf():
pass
else:
return redirect(url_for('views.static_html'))
if utils.user_can_view_challenges() and (utils.ctf_started() or utils.is_admin()):
chals = Challenges.query.filter(or_(Challenges.hidden != True, Challenges.hidden == None)).order_by(Challenges.value).all()
json = {'game': []}
for x in chals:
tags = [tag.tag for tag in Tags.query.add_columns('tag').filter_by(chal=x.id).all()]
files = [str(f.location) for f in Files.query.filter_by(chal=x.id).all()]
unlocked_hints = set([u.itemid for u in Unlocks.query.filter_by(model='hints', teamid=session['id'])])
hints = []
for hint in Hints.query.filter_by(chal=x.id).all():
if hint.id in unlocked_hints or utils.ctf_ended():
hints.append({'id': hint.id, 'cost': hint.cost, 'hint': hint.hint})
else:
hints.append({'id': hint.id, 'cost': hint.cost})
# hints = [{'id':hint.id, 'cost':hint.cost} for hint in Hints.query.filter_by(chal=x.id).all()]
chal_type = get_chal_class(x.type)
json['game'].append({
'id': x.id,
'type': chal_type.name,
'name': x.name,
'value': x.value,
'description': x.description,
'category': x.category,
'files': files,
'tags': tags,
'hints': hints
})
db.session.close()
return jsonify(json)
else:
db.session.close()
return redirect(url_for('auth.login', next='chals'))
def get_data():
if request.method == 'GET':
if is_admin() is False:
log()
# Get client data
flag, token, time, k = filter(request)
if k is not None:
data = client(check=True,
flag_old=k.flag,
flag_new=flag,
time=time)
save(k, flag)
if k is None:
data = client(reason='token wrong', time=time)
return jsonify(data)
if is_admin() is True:
# Show Serve log to admin
return jsonify(client(reason='admin'))
elif request.method == 'POST':
# TODO
data = {}
return jsonify(data)
def user_create_chal():
if request.method == 'POST':
chal_type = request.form['chaltype']
chal_class = get_chal_class(chal_type)
# do not allow non-admin users to create non-community challenges
if not utils.is_admin() and chal_class != CommunityChallenge:
abort(403)
chal_class.create(request)
return redirect(url_for('challenges.challenges_view'))
else:
return render_template('admin/chals/create.html',
content=open(create_path).read())
def during_ctf_time_only_wrapper(*args, **kwargs):
if utils.ctftime() or utils.is_admin():
return f(*args, **kwargs)
else:
if utils.ctf_ended():
if utils.view_after_ctf():
return f(*args, **kwargs)
else:
error = '{} has ended'.format(utils.ctf_name())
abort(403, description=error)
if utils.ctf_started() is False:
error = '{} has not started yet'.format(utils.ctf_name())
abort(403, description=error)
def solves(teamid=None):
solves = None
awards = None
if teamid is None:
if utils.is_admin():
solves = Solves.query.filter_by(teamid=session['id']).all()
elif utils.user_can_view_challenges():
if utils.authed():
solves = Solves.query.join(Teams, Solves.teamid == Teams.id).filter(Solves.teamid == session['id'], Teams.banned == False).all()
else:
return jsonify({'solves': []})
else:
return redirect(url_for('auth.login', next='solves'))
else:
solves = Solves.query.filter_by(teamid=teamid)
awards = Awards.query.filter_by(teamid=teamid)
freeze = utils.get_config('freeze')
if freeze:
freeze = utils.unix_time_to_utc(freeze)
if teamid != session.get('id'):
solves = solves.filter(Solves.date < freeze)
awards = awards.filter(Awards.date < freeze)
solves = solves.all()
awards = awards.all()
db.session.close()
json = {'solves': []}
for solve in solves:
json['solves'].append({
'chal': solve.chal.name,
'chalid': solve.chalid,
'team': solve.teamid,
'value': solve.chal.value,
'category': solve.chal.category,
'time': utils.unix_time(solve.date)
})
if awards:
for award in awards:
json['solves'].append({
'chal': award.name,
'chalid': None,
'team': award.teamid,
'value': award.value,
'category': award.category or "Award",
'time': utils.unix_time(award.date)
})
json['solves'].sort(key=lambda k: k['time'])
return jsonify(json)
def solves(teamid=None):
if teamid is None:
if is_admin():
solves = Solves.query.filter_by(teamid=session['id']).all()
elif authed():
solves = Solves.query.join(Teams, Solves.teamid == Teams.id).filter(Solves.teamid==session['id'], Teams.banned==None).all()
else:
return redirect(url_for('auth.login', next='solves'))
else:
solves = Solves.query.filter_by(teamid=teamid).all()
db.session.close()
json = {'solves':[]}
for x in solves:
json['solves'].append({ 'chal':x.chal.name, 'chalid':x.chalid,'team':x.teamid, 'value': x.chal.value, 'category':x.chal.category, 'time':unix_time(x.date)})
return jsonify(json)
def comps(compid):
if not utils.is_admin():
if not utils.ctftime():
if utils.view_after_ctf():
pass
else:
abort(403)
if compid is None:
comp = Competitions.query.all()
return render_template('competitions.html', comp=comp)
else:
comp = Competitions.query.filter(Competitions.id == compid).one()
if comp:
return render_template('comp.html', comp=comp)
else:
abort(403)
def chals():
if not is_admin() and not ctftime_view():
return redirect('/')
if can_view_challenges():
chals = Challenges.query.add_columns('id', 'name', 'value', 'description', 'category').order_by(Challenges.value).all()
json = {'game':[]}
for x in chals:
files = [ str(f.location) for f in Files.query.filter_by(chal=x.id).all() ]
json['game'].append({'id':x[1], 'name':x[2], 'value':x[3], 'description':x[4], 'category':x[5], 'files':files})
db.session.close()
return jsonify(json)
else:
db.session.close()
return redirect('/login')
def user_chal_types():
data = {}
for class_id in CHALLENGE_CLASSES:
challenge_class = CHALLENGE_CLASSES.get(class_id)
# only allow CommunityChallenge for non-admin users
if not utils.is_admin() and challenge_class != CommunityChallenge:
continue
data[challenge_class.id] = {
'id': challenge_class.id,
'name': challenge_class.name,
'templates': challenge_class.templates,
'scripts': challenge_class.scripts,
}
return jsonify(data)
def team_solves_view(teamid=None):
solves = None
awards = None
if teamid is None:
if is_admin():
solves = Solves.query.filter_by(userid=session['id']).all()
elif authed():
user = Users.query.filter_by(id=session.get('id')).first_or_404()
user_ids = [
u.id for u in Users.query.with_entities(Users.id).filter_by(
teamid=user.teamid)
]
solves = Solves.query.filter(Solves.userid.in_(user_ids)).all()
else:
return redirect(url_for('auth.login', next='solves'))
else:
team = Teams.query.filter_by(id=teamid).first_or_404()
user_ids = [
u.id for u in Users.query.with_entities(Users.id).filter_by(
teamid=team.id)
]
solves = Solves.query.filter(Solves.userid.in_(user_ids)).all()
awards = Awards.query.filter(Awards.userid.in_(user_ids)).all()
db.session.close()
json = {'solves': []}
for solve in solves:
json['solves'].append({
'chal': solve.chal.name,
'chalid': solve.chalid,
'team': solve.userid,
'value': solve.chal.value,
'category': solve.chal.category,
'time': unix_time(solve.date)
})
if awards:
for award in awards:
json['solves'].append({
'chal': award.name,
'chalid': None,
'team': award.userid,
'value': award.value,
'category': award.category,
'time': unix_time(award.date)
})
json['solves'].sort(key=lambda k: k['time'])
return jsonify(json)
def challenges_view_contest(contest_slug):
contest = Contests.query.filter_by(slug=contest_slug).first()
errors = []
start = contest.starttime or 0
end = contest.endtime or 0
if not utils.is_admin(): # User is not an admin
if not utils.ctftime():
# It is not CTF time
if utils.view_after_ctf(
): # But we are allowed to view after the CTF ends
pass
else: # We are NOT allowed to view after the CTF ends
if utils.ctf_started(contest=contest):
errors.append('{} has not started yet'.format(
contest.name))
if utils.ctf_ended(
contest=contest) and not utils.view_after_ctf():
errors.append('{} has ended'.format(contest.name))
return render_template('chals.html',
errors=errors,
start=start,
end=end)
if utils.get_config('verify_emails') and not utils.is_verified(
): # User is not confirmed
return redirect(url_for('auth.confirm_user'))
if utils.user_can_view_challenges(
contest=contest): # Do we allow unauthenticated users?
if not utils.ctf_started(contest=contest):
errors.append('{} has not started yet'.format(contest.name))
if utils.ctf_ended(
contest=contest) and not utils.view_after_ctf(contest=contest):
errors.append('{} has ended'.format(contest.name))
contest = Contests.query.filter_by(slug=contest_slug).first()
contest_dict = vars(contest)
contest_dict.pop('_sa_instance_state', None)
return render_template('chals.html',
errors=errors,
start=start,
end=end,
contest=contest_dict)
else:
return redirect(
url_for("contests.contest_participate", contest_slug=contest_slug))
def student(studentid):
if get_config('view_scoreboard_if_authed') and not authed():
return redirect(url_for('auth.login', next=request.path))
if not is_admin() and session['id'] != studentid:
return render_template('errors/403.html')
user = Students.query.filter_by(id=studentid).first_or_404()
solves = Solves.query.filter_by(studentid=studentid)
awards = Awards.query.filter_by(studentid=studentid).all()
score = user.score()
place = user.place()
db.session.close()
if request.method == 'GET':
return render_template('student.html', solves=solves, awards=awards, student=user, score=score, place=place)
elif request.method == 'POST':
json = {'solves': []}
for x in solves:
json['solves'].append({'id': x.id, 'chal': x.chalid, 'student': x.studentid})
return jsonify(json)
def chals():
if not is_admin():
if not ctftime():
if view_after_ctf():
pass
else:
return redirect(url_for('views.static_html'))
if can_view_challenges():
chals = Challenges.query.filter(or_(Challenges.hidden != True, Challenges.hidden == None)).add_columns('id', 'name', 'value', 'description', 'category').order_by(Challenges.value).all()
json = {'game':[]}
for x in chals:
tags = [tag.tag for tag in Tags.query.add_columns('tag').filter_by(chal=x[1]).all()]
files = [ str(f.location) for f in Files.query.filter_by(chal=x.id).all() ]
json['game'].append({'id':x[1], 'name':x[2], 'value':x[3], 'description':x[4], 'category':x[5], 'files':files, 'tags':tags})
db.session.close()
return jsonify(json)
else:
db.session.close()
return redirect(url_for('auth.login', next='chals'))
def admin_view():
if request.method == 'POST':
username = request.form.get('name')
password = request.form.get('password')
admin_user= Teams.query.filter_by(name=request.form['name'], admin=True).first()
if admin_user and bcrypt_sha256.verify(request.form['password'], admin_user.password):
try:
session.regenerate() # NO SESSION FIXATION FOR YOU
except:
pass # TODO: Some session objects dont implement regenerate :(
session['username'] = admin_user.name
session['id'] = admin_user.id
session['admin'] = True
session['nonce'] = sha512(os.urandom(10))
db.session.close()
return redirect('/admin/graphs')
if is_admin():
return redirect('/admin/graphs')
return render_template('admin/login.html')
def admin_view():
if is_admin():
return redirect(url_for('admin.admin_graphs'))
return redirect(url_for('auth.login'))
