def test_api_pages_get_non_admin():
"""Can a user get /api/v1/pages if not admin"""
app = create_ctfd()
with app.app_context():
with app.test_client() as client:
gen_page(app.db, title="title", route="/route", content="content")
r = client.get('/api/v1/pages', json="")
assert r.status_code == 403
# test_api_pages_post_non_admin
"""Can a user post /api/v1/pages if not admin"""
r = client.post('/api/v1/pages')
assert r.status_code == 403
# test_api_page_get_non_admin
"""Can a user get /api/v1/pages/<page_id> if not admin"""
r = client.get('/api/v1/pages/2', json="")
assert r.status_code == 403
# test_api_page_patch_non_admin
r = client.patch('/api/v1/pages/2', json="")
assert r.status_code == 403
# test_api_page_delete_non_admin
"""Can a user delete /api/v1/pages/<page_id> if not admin"""
r = client.delete('/api/v1/pages/2', json="")
assert r.status_code == 403
destroy_ctfd(app)
def test_api_page_get_admin():
"""Can a user get /api/v1/pages/<page_id> if admin"""
app = create_ctfd()
with app.app_context():
gen_page(app.db, title="title", route="/route", content="content")
with login_as_user(app, 'admin') as client:
r = client.get('/api/v1/pages/2', json="")
assert r.status_code == 200
destroy_ctfd(app)
def test_api_page_delete_admin():
"""Can a user patch /api/v1/pages/<page_id> if admin"""
app = create_ctfd()
with app.app_context():
gen_page(app.db, title="title", route="/route", content="content")
with login_as_user(app, "admin") as client:
r = client.delete("/api/v1/pages/2", json="")
assert r.status_code == 200
assert r.get_json().get("data") is None
destroy_ctfd(app)
def test_page():
"""Test that users can access pages that are created in the database"""
app = create_ctfd()
with app.app_context():
gen_page(
app.db, title="Title", route="this-is-a-route", content="This is some HTML"
)
with app.test_client() as client:
r = client.get("/this-is-a-route")
assert r.status_code == 200
destroy_ctfd(app)
def test_pages_routing_and_rendering():
"""Test that pages are routing and rendering"""
app = create_ctfd()
with app.app_context():
html = """##The quick brown fox jumped over the lazy dog"""
route = "test"
title = "Test"
gen_page(app.db, title, route, html)
with app.test_client() as client:
r = client.get("/test")
output = r.get_data(as_text=True)
assert "<h2>The quick brown fox jumped over the lazy dog</h2>" in output
destroy_ctfd(app)
def test_admin_access():
"""Can a user access admin pages?"""
app = create_ctfd()
with app.app_context():
gen_page(app.db, title="title", route="/route", content="content")
gen_challenge(app.db)
gen_team(app.db)
routes = [
"/admin/challenges/new",
"/admin/export/csv",
# '/admin/pages/preview',
"/admin/pages/new",
"/admin/teams/new",
"/admin/users/new",
"/admin/notifications",
"/admin/challenges",
"/admin/scoreboard",
"/admin/statistics",
"/admin/export",
"/admin/config",
"/admin/pages",
"/admin/teams",
"/admin/users",
"/admin",
"/admin/submissions/correct",
"/admin/submissions/incorrect",
"/admin/submissions",
"/admin/challenges/1",
# '/admin/plugins/<plugin>',
"/admin/pages/1",
"/admin/teams/1",
"/admin/users/1",
]
register_user(app)
client = login_as_user(app)
for route in routes:
r = client.get(route)
assert r.status_code == 302
assert r.location.startswith("http://localhost/login")
admin = login_as_user(app, name="admin")
routes.remove("/admin")
routes.remove("/admin/export/csv")
routes.remove("/admin/export")
for route in routes:
r = admin.get(route)
assert r.status_code == 200
destroy_ctfd(app)
def test_draft_pages():
"""Test that draft pages can't be seen"""
app = create_ctfd()
with app.app_context():
gen_page(app.db,
title="Title",
route="this-is-a-route",
content="This is some HTML",
draft=True)
with app.test_client() as client:
r = client.get('/this-is-a-route')
assert r.status_code == 404
register_user(app)
client = login_as_user(app)
r = client.get('/this-is-a-route')
assert r.status_code == 404
destroy_ctfd(app)
def test_api_page_patch_admin():
"""Can a user patch /api/v1/pages/<page_id> if admin"""
app = create_ctfd()
with app.app_context():
gen_page(app.db, title="title", route="/route", content="content")
with login_as_user(app, 'admin') as client:
with client.session_transaction() as sess:
nonce = sess.get('nonce')
r = client.patch('/api/v1/pages/2',
json={
"title": "Title",
"route": "/route",
"content": "content_edit",
"id": "2",
"nonce": nonce,
"auth_required": False
})
assert r.status_code == 200
assert r.get_json()['data']['content'] == "content_edit"
destroy_ctfd(app)
def test_page_requiring_auth():
"""Test that pages properly require authentication"""
app = create_ctfd()
with app.app_context():
gen_page(app.db,
title="Title",
route="this-is-a-route",
content="This is some HTML",
auth_required=True)
with app.test_client() as client:
r = client.get('/this-is-a-route')
assert r.status_code == 302
assert r.location == 'http://localhost/login?next=%2Fthis-is-a-route%3F'
register_user(app)
client = login_as_user(app)
r = client.get('/this-is-a-route')
assert r.status_code == 200
destroy_ctfd(app)
def test_api_page_patch_admin():
"""Can a user patch /api/v1/pages/<page_id> if admin"""
app = create_kmactf()
with app.app_context():
gen_page(app.db, title="title", route="/route", content="content")
with login_as_user(app, "admin") as client:
with client.session_transaction() as sess:
nonce = sess.get("nonce")
r = client.patch(
"/api/v1/pages/2",
json={
"title": "Title",
"route": "/route",
"content": "content_edit",
"id": "2",
"nonce": nonce,
"auth_required": False,
},
)
assert r.status_code == 200
assert r.get_json()["data"]["content"] == "content_edit"
destroy_kmactf(app)
def test_hidden_pages():
"""Test that hidden pages aren't on the navbar but can be loaded"""
app = create_ctfd()
with app.app_context():
page = gen_page(
app.db,
title="HiddenPageTitle",
route="this-is-a-hidden-route",
content="This is some HTML",
hidden=True,
)
clear_pages()
assert page not in get_pages()
with app.test_client() as client:
r = client.get("/")
assert r.status_code == 200
assert "HiddenPageTitle" not in r.get_data(as_text=True)
with app.test_client() as client:
r = client.get("/this-is-a-hidden-route")
assert r.status_code == 200
assert "This is some HTML" in r.get_data(as_text=True)
destroy_ctfd(app)
