def test_api_user_change_verify_email():
"""Test that users are marked unconfirmed if they change their email and verify_emails is turned on"""
app = create_ctfd()
with app.app_context():
set_config("verify_emails", True)
register_user(app)
user = Users.query.filter_by(id=2).first()
user.verified = True
app.db.session.commit()
with login_as_user(app) as client:
r = client.patch(
"/api/v1/users/me",
json={"email": "*****@*****.**", "confirm": "password"},
)
assert r.status_code == 200
resp = r.get_json()
assert resp["data"]["email"] == "*****@*****.**"
assert resp["success"] is True
user = Users.query.filter_by(id=2).first()
assert user.verified is False
destroy_ctfd(app)
def test_submitting_correct_regex_case_insensitive_flag():
"""Test that correct regex flags are correct if the regex flag is marked case_insensitive"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db)
gen_flag(
app.db,
challenge_id=chal.id,
type="regex",
content="flag",
data="case_insensitive",
)
data = {"submission": "FLAG", "challenge_id": chal.id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
resp = r.get_json()["data"]
assert resp.get("status") == "correct"
assert resp.get("message") == "Correct"
destroy_ctfd(app)
def test_api_user_patch_admin():
"""Can a user patch /api/v1/users/<user_id> if admin"""
app = create_ctfd()
with app.app_context():
register_user(app)
with login_as_user(app, "admin") as client:
r = client.patch(
"/api/v1/users/2",
json={
"name": "user",
"email": "*****@*****.**",
"password": "******",
"country": "US",
"verified": True,
},
)
assert r.status_code == 200
user_data = r.get_json()["data"][0]
assert user_data["country"] == "US"
assert user_data["verified"] is True
destroy_ctfd(app)
def test_ratelimit_on_auth():
"""Test that ratelimiting function works properly"""
app = create_ctfd()
with app.app_context():
register_user(app)
with app.test_client() as client:
r = client.get('/login')
with client.session_transaction() as sess:
data = {
"name": "user",
"password": "******",
"nonce": sess.get('nonce')
}
for x in range(10):
r = client.post('/login', data=data)
assert r.status_code == 200
for x in range(5):
r = client.post('/login', data=data)
assert r.status_code == 429
destroy_ctfd(app)
def test_submitting_invalid_regex_flag():
"""Test that invalid regex flags are errored out to the user"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db)
gen_flag(
app.db,
challenge_id=chal.id,
type="regex",
content="**",
data="case_insensitive",
)
data = {"submission": "FLAG", "challenge_id": chal.id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
resp = r.get_json()["data"]
assert resp.get("status") == "incorrect"
assert resp.get("message") == "Regex parse error occured"
destroy_ctfd(app)
def test_user_get_scoreboard_components():
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
# test_user_get_scoreboard
"""Can a registered user load scoreboard components"""
r = client.get("/scoreboard")
assert r.status_code == 200
# test_user_get_scores
"""Can a registered user load /api/v1/scoreboard"""
r = client.get("/api/v1/scoreboard")
assert r.status_code == 200
# test_user_get_topteams
"""Can a registered user load /api/v1/scoreboard/top/10"""
r = client.get("/api/v1/scoreboard/top/10")
assert r.status_code == 200
destroy_ctfd(app)
def test_theme_fallback_config():
"""Test that the `THEME_FALLBACK` config properly falls themes back to the core theme"""
app = create_ctfd()
# Make an empty theme
try:
os.mkdir(os.path.join(app.root_path, "themes", "foo"))
except OSError:
pass
# Without theme fallback, missing themes should disappear
with app.app_context():
set_config("ctf_theme", "foo")
assert app.config["THEME_FALLBACK"] == False
with app.test_client() as client:
try:
r = client.get("/")
except TemplateNotFound:
pass
try:
r = client.get("/themes/foo/static/js/pages/main.dev.js")
except TemplateNotFound:
pass
destroy_ctfd(app)
class ThemeFallbackConfig(TestingConfig):
THEME_FALLBACK = True
app = create_ctfd(config=ThemeFallbackConfig)
with app.app_context():
set_config("ctf_theme", "foo")
assert app.config["THEME_FALLBACK"] == True
with app.test_client() as client:
r = client.get("/")
assert r.status_code == 200
r = client.get("/themes/foo/static/js/pages/main.dev.js")
assert r.status_code == 200
destroy_ctfd(app)
# Remove empty theme
os.rmdir(os.path.join(app.root_path, "themes", "foo"))
def test_api_team_get_solves_after_freze_time():
"""Can a user get /api/v1/teams/<team_id>/solves after freeze time"""
app = create_ctfd(user_mode="teams")
with app.app_context():
register_user(app)
team = gen_team(
app.db, name="team1", email="*****@*****.**", member_count=1
)
team_member = team.members[0]
tm_name = team_member.name
set_config("freeze", "1507262400")
with freeze_time("2017-10-4"):
chal = gen_challenge(app.db)
chal_id = chal.id
gen_solve(app.db, user_id=3, team_id=1, challenge_id=chal_id)
chal2 = gen_challenge(app.db)
chal2_id = chal2.id
with freeze_time("2017-10-8"):
gen_solve(app.db, user_id=3, team_id=1, challenge_id=chal2_id)
assert Solves.query.count() == 2
with login_as_user(app) as client:
r = client.get("/api/v1/teams/1/solves")
data = r.get_json()["data"]
assert len(data) == 1
with login_as_user(app, name=tm_name) as client:
r = client.get("/api/v1/teams/me/solves")
data = r.get_json()["data"]
assert len(data) == 2
with login_as_user(app, name="admin") as client:
r = client.get("/api/v1/teams/1/solves")
data = r.get_json()["data"]
assert len(data) == 2
destroy_ctfd(app)
def test_user_can_unlock_hint():
"""Test that a user can unlock a hint if they have enough points"""
app = create_ctfd()
with app.app_context():
with app.test_client():
register_user(app, name="user1", email="*****@*****.**")
chal = gen_challenge(app.db, value=100)
chal_id = chal.id
gen_flag(app.db, challenge_id=chal.id, content='flag')
hint = gen_hint(app.db, chal_id, cost=10)
hint_id = hint.id
gen_award(app.db, user_id=2, value=15)
client = login_as_user(app, name="user1", password="******")
user = Users.query.filter_by(name="user1").first()
assert user.score == 15
with client.session_transaction():
r = client.get('/api/v1/hints/{}'.format(hint_id))
resp = r.get_json()
assert resp['data'].get('content') is None
params = {"target": hint_id, "type": "hints"}
r = client.post('/api/v1/unlocks', json=params)
resp = r.get_json()
assert resp['success'] is True
r = client.get('/api/v1/hints/{}'.format(hint_id))
resp = r.get_json()
assert resp['data'].get('content') == "This is a hint"
user = Users.query.filter_by(name="user1").first()
assert user.score == 5
destroy_ctfd(app)
def test_unlocking_hints_with_cost_before_ctf():
"""Test that hints are not unlocked if the CTF hasn't begun"""
app = create_ctfd()
with app.app_context():
register_user(app)
chal = gen_challenge(app.db)
chal_id = chal.id
gen_hint(app.db, chal_id)
gen_award(app.db, user_id=2)
set_config('start', '1507089600'
) # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config(
'end',
'1507262400') # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
with freeze_time("2017-10-1"):
client = login_as_user(app)
r = client.get('/api/v1/hints/1')
assert r.status_code == 403
assert r.get_json().get('data') is None
r = client.post('/api/v1/unlocks',
json={
'target': 1,
'type': 'hints'
})
assert r.status_code == 403
assert r.get_json().get('data') is None
r = client.get('/api/v1/hints/1')
assert r.get_json().get('data') is None
assert r.status_code == 403
user = Users.query.filter_by(id=2).first()
assert user.score == 100
assert Unlocks.query.count() == 0
destroy_ctfd(app)
def test_boolean_checkbox_field():
app = create_ctfd()
with app.app_context():
gen_field(app.db, name="CustomField1", field_type="boolean", required=False)
with app.test_client() as client:
r = client.get("/register")
resp = r.get_data(as_text=True)
# We should have rendered a checkbox input
assert "checkbox" in resp
with client.session_transaction() as sess:
data = {
"name": "user",
"email": "*****@*****.**",
"password": "******",
"nonce": sess.get("nonce"),
"fields[1]": "y",
}
client.post("/register", data=data)
with client.session_transaction() as sess:
assert sess["id"]
assert UserFieldEntries.query.count() == 1
assert UserFieldEntries.query.filter_by(id=1).first().value is True
with login_as_user(app) as client:
r = client.get("/settings")
resp = r.get_data(as_text=True)
assert "CustomField1" in resp
assert "checkbox" in resp
r = client.patch(
"/api/v1/users/me", json={"fields": [{"field_id": 1, "value": False}]}
)
assert r.status_code == 200
assert UserFieldEntries.query.count() == 1
assert UserFieldEntries.query.filter_by(id=1).first().value is False
destroy_ctfd(app)
def test_sendmail_with_mailgun_from_config_file(fake_post_request):
"""Does sendmail work properly with Mailgun using file configuration"""
app = create_ctfd()
with app.app_context():
app.config["MAILGUN_API_KEY"] = "key-1234567890-file-config"
app.config["MAILGUN_BASE_URL"] = "https://api.mailgun.net/v3/file.faked.com"
from_addr = get_config("mailfrom_addr") or app.config.get("MAILFROM_ADDR")
to_addr = "*****@*****.**"
msg = "this is a test"
sendmail(to_addr, msg)
ctf_name = get_config("ctf_name")
email_msg = MIMEText(msg)
email_msg["Subject"] = "Message from {0}".format(ctf_name)
email_msg["From"] = from_addr
email_msg["To"] = to_addr
fake_response = Mock()
fake_post_request.return_value = fake_response
fake_response.status_code = 200
status, message = sendmail(to_addr, msg)
args, kwargs = fake_post_request.call_args
assert args[0] == "https://api.mailgun.net/v3/file.faked.com/messages"
assert kwargs["auth"] == ("api", u"key-1234567890-file-config")
assert kwargs["timeout"] == 1.0
assert kwargs["data"] == {
"to": ["*****@*****.**"],
"text": "this is a test",
"from": "CTFd Admin <*****@*****.**>",
"subject": "Message from CTFd",
}
assert fake_response.status_code == 200
assert status is True
assert message == "Email sent"
destroy_ctfd(app)
def test_invalid_requirements_are_rejected():
"""Test that invalid requirements JSON blobs are rejected by the API"""
app = create_ctfd()
with app.app_context():
gen_challenge(app.db)
gen_challenge(app.db)
with login_as_user(app, "admin") as client:
# Test None/null values
r = client.patch("/api/v1/challenges/1",
json={"requirements": {
"prerequisites": [None]
}})
assert r.status_code == 400
assert r.get_json() == {
"success": False,
"errors": {
"requirements":
["Challenge requirements cannot have a null prerequisite"]
},
}
# Test empty strings
r = client.patch("/api/v1/challenges/1",
json={"requirements": {
"prerequisites": [""]
}})
assert r.status_code == 400
assert r.get_json() == {
"success": False,
"errors": {
"requirements":
["Challenge requirements cannot have a null prerequisite"]
},
}
# Test a valid integer
r = client.patch("/api/v1/challenges/1",
json={"requirements": {
"prerequisites": [2]
}})
assert r.status_code == 200
destroy_ctfd(app)
def test_successful_registration_email(mock_smtp):
"""Does successful_registration_notification send emails"""
app = create_ctfd()
with app.app_context():
set_config("mail_server", "localhost")
set_config("mail_port", 25)
set_config("mail_useauth", True)
set_config("mail_username", "username")
set_config("mail_password", "password")
set_config("verify_emails", True)
ctf_name = get_config("ctf_name")
from_addr = get_config("mailfrom_addr") or app.config.get(
"MAILFROM_ADDR")
from_addr = "{} <{}>".format(ctf_name, from_addr)
to_addr = "*****@*****.**"
successful_registration_notification(to_addr)
msg = "You've successfully registered for CTFd!"
if six.PY2:
email_msg = MIMEText(msg)
else:
email_msg = EmailMessage()
email_msg.set_content(msg)
email_msg["Subject"] = "Successfully registered for {ctf_name}".format(
ctf_name=ctf_name)
email_msg["From"] = from_addr
email_msg["To"] = to_addr
if six.PY2:
mock_smtp.return_value.sendmail.assert_called_with(
from_addr, [to_addr], email_msg.as_string())
else:
mock_smtp.return_value.send_message.assert_called()
assert str(mock_smtp.return_value.send_message.call_args[0]
[0]) == str(email_msg)
destroy_ctfd(app)
def test_verify_email(mock_smtp):
"""Does verify_email send emails"""
app = create_ctfd()
with app.app_context():
set_config("mail_server", "localhost")
set_config("mail_port", 25)
set_config("mail_useauth", True)
set_config("mail_username", "username")
set_config("mail_password", "password")
set_config("verify_emails", True)
ctf_name = get_config("ctf_name")
from_addr = get_config("mailfrom_addr") or app.config.get(
"MAILFROM_ADDR")
from_addr = "{} <{}>".format(ctf_name, from_addr)
to_addr = "*****@*****.**"
with freeze_time("2012-01-14 03:21:34"):
verify_email_address(to_addr)
# This is currently not actually validated
msg = (
"Please click the following link to confirm"
" your email address for CTFd:"
" http://localhost/confirm/InVzZXJAdXNlci5jb20i.TxD0vg.28dY_Gzqb1TH9nrcE_H7W8YFM-U"
)
ctf_name = get_config("ctf_name")
email_msg = EmailMessage()
email_msg.set_content(msg)
email_msg["Subject"] = "Confirm your account for {ctf_name}".format(
ctf_name=ctf_name)
email_msg["From"] = from_addr
email_msg["To"] = to_addr
mock_smtp.return_value.send_message.assert_called()
assert str(mock_smtp.return_value.send_message.call_args[0][0]) == str(
email_msg)
destroy_ctfd(app)
def test_verify_email(mock_smtp):
"""Does verify_email send emails"""
app = create_ctfd()
with app.app_context():
set_config("mail_server", "localhost")
set_config("mail_port", 25)
set_config("mail_useauth", True)
set_config("mail_username", "username")
set_config("mail_password", "password")
set_config("verify_emails", True)
ctf_name = get_config("ctf_name")
from_addr = get_config("mailfrom_addr") or app.config.get(
"MAILFROM_ADDR")
from_addr = "{} <{}>".format(ctf_name, from_addr)
to_addr = "*****@*****.**"
with freeze_time("2012-01-14 03:21:34"):
verify_email_address(to_addr)
# This is currently not actually validated
msg = (
"Please click the following link to confirm"
" your email address for CTFd:"
" http://localhost/confirm/InVzZXJAdXNlci5jb20i.TxD0vg.28dY_Gzqb1TH9nrcE_H7W8YFM-U"
)
ctf_name = get_config("ctf_name")
email_msg = MIMEText(msg)
email_msg["Subject"] = "Confirm your account for {ctf_name}".format(
ctf_name=ctf_name)
email_msg["From"] = from_addr
email_msg["To"] = to_addr
# Need to freeze time to predict the value of the itsdangerous token.
# For now just assert that sendmail was called.
mock_smtp.return_value.sendmail.assert_called_with(
from_addr, [to_addr], email_msg.as_string())
destroy_ctfd(app)
def test_api_users_post_admin():
"""Can a user post /api/v1/users if admin"""
app = create_ctfd()
with app.app_context():
with login_as_user(app, "admin") as client:
# Create user
r = client.post(
"/api/v1/users",
json={"name": "user", "email": "*****@*****.**", "password": "******"},
)
assert r.status_code == 200
# Make sure password was hashed properly
user = Users.query.filter_by(email="*****@*****.**").first()
assert user
assert verify_password("password", user.password)
# Make sure user can login with the creds
client = login_as_user(app)
r = client.get("/profile")
assert r.status_code == 200
destroy_ctfd(app)
def test_api_accessing_banned_users():
"""Banned users should not be visible to normal users, only to admins"""
app = create_ctfd()
with app.app_context():
register_user(app, name="visible_user", email="*****@*****.**")
register_user(app, name="banned_user", email="*****@*****.**") # ID 3
user = Users.query.filter_by(name="banned_user").first()
user.banned = True
app.db.session.commit()
with login_as_user(app, name="visible_user") as client:
assert client.get("/api/v1/users/3").status_code == 404
assert client.get("/api/v1/users/3/solves").status_code == 404
assert client.get("/api/v1/users/3/fails").status_code == 404
assert client.get("/api/v1/users/3/awards").status_code == 404
with login_as_user(app, name="admin") as client:
assert client.get("/api/v1/users/3").status_code == 200
assert client.get("/api/v1/users/3/solves").status_code == 200
assert client.get("/api/v1/users/3/fails").status_code == 200
assert client.get("/api/v1/users/3/awards").status_code == 200
destroy_ctfd(app)
def test_api_admin_user_patch_me_logged_in():
"""Can an admin patch /api/v1/users/me"""
app = create_ctfd()
with app.app_context():
with login_as_user(app, name="admin") as client:
r = client.patch(
"/api/v1/users/me",
json={
"name": "user",
"email": "*****@*****.**",
"password": "******",
"confirm": "password",
"country": "US",
},
)
assert r.status_code == 200
assert r.get_json()["data"]["country"] == "US"
user = Users.query.filter_by(id=1).first()
assert user.name == "user"
assert user.email == "*****@*****.**"
destroy_ctfd(app)
def test_teams_join_post():
"""Can a user post /teams/join"""
app = create_ctfd(user_mode="teams")
with app.app_context():
gen_user(app.db, name="user")
gen_team(app.db, name="team")
with login_as_user(app) as client:
r = client.get("/teams/join")
assert r.status_code == 200
with client.session_transaction() as sess:
data = {
"name": "team",
"password": "******",
"nonce": sess.get("nonce"),
}
r = client.post("/teams/join", data=data)
assert r.status_code == 302
incorrect_data = data
incorrect_data["password"] = ""
r = client.post("/teams/join", data=incorrect_data)
assert r.status_code == 200
destroy_ctfd(app)
def test_sendmail_with_mailgun_from_db_config(fake_post_request):
"""Does sendmail work properly with Mailgun using database configuration"""
app = create_ctfd()
with app.app_context():
app.config["MAILGUN_API_KEY"] = "key-1234567890-file-config"
app.config[
"MAILGUN_BASE_URL"] = "https://api.mailgun.net/v3/file.faked.com"
# db values should take precedence over file values
set_config("mailgun_api_key", "key-1234567890-db-config")
set_config("mailgun_base_url",
"https://api.mailgun.net/v3/db.faked.com")
to_addr = "*****@*****.**"
msg = "this is a test"
sendmail(to_addr, msg)
fake_response = Mock()
fake_post_request.return_value = fake_response
fake_response.status_code = 200
status, message = sendmail(to_addr, msg)
args, kwargs = fake_post_request.call_args
assert args[0] == "https://api.mailgun.net/v3/db.faked.com/messages"
assert kwargs["auth"] == ("api", u"key-1234567890-db-config")
assert kwargs["timeout"] == 1.0
assert kwargs["data"] == {
"to": ["*****@*****.**"],
"text": "this is a test",
"from": "CTFd <*****@*****.**>",
"subject": "Message from CTFd",
}
assert fake_response.status_code == 200
assert status is True
assert message == "Email sent"
destroy_ctfd(app)
def test_team_fields_required_on_creation():
app = create_ctfd(user_mode="teams")
with app.app_context():
register_user(app)
gen_field(app.db, type="team")
with app.app_context():
with login_as_user(app) as client:
assert Teams.query.count() == 0
r = client.get("/teams/new")
resp = r.get_data(as_text=True)
assert "CustomField" in resp
assert "CustomFieldDescription" in resp
with client.session_transaction() as sess:
data = {
"name": "team",
"password": "******",
"nonce": sess.get("nonce"),
}
r = client.post("/teams/new", data=data)
assert "Please provide all required fields" in r.get_data(as_text=True)
assert Teams.query.count() == 0
with client.session_transaction() as sess:
data = {
"name": "team",
"password": "******",
"fields[1]": "CustomFieldEntry",
"nonce": sess.get("nonce"),
}
r = client.post("/teams/new", data=data)
assert r.status_code == 302
assert Teams.query.count() == 1
entry = TeamFieldEntries.query.filter_by(id=1).first()
assert entry.team_id == 1
assert entry.value == "CustomFieldEntry"
destroy_ctfd(app)
def test_api_tag_list_get():
"""Can a user get /api/v1/tokens"""
app = create_ctfd()
with app.app_context():
user = gen_user(app.db, name="user")
generate_user_token(user)
user2 = gen_user(app.db, name="user2", email="*****@*****.**")
generate_user_token(user2)
generate_user_token(user2)
with login_as_user(app) as client:
r = client.get("/api/v1/tokens", json="")
assert r.status_code == 200
resp = r.get_json()
len(resp["data"]) == 1
with login_as_user(app, name="user2") as client:
r = client.get("/api/v1/tokens", json="")
assert r.status_code == 200
resp = r.get_json()
len(resp["data"]) == 2
destroy_ctfd(app)
def test_s3_uploader():
conn = boto3.resource("s3", region_name="us-east-1")
conn.create_bucket(Bucket="bucket")
app = create_ctfd()
with app.app_context():
app.config["UPLOAD_PROVIDER"] = "s3"
app.config["AWS_ACCESS_KEY_ID"] = "AKIAIOSFODNN7EXAMPLE"
app.config[
"AWS_SECRET_ACCESS_KEY"] = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
app.config["AWS_S3_BUCKET"] = "bucket"
uploader = S3Uploader()
assert uploader.s3
assert uploader.bucket == "bucket"
fake_file = BytesIO("fakedfile".encode())
path = uploader.upload(fake_file, "fake_file.txt")
assert "fake_file.txt" in uploader.download(path).location
destroy_ctfd(app)
def test_sendmail_with_smtp_from_config_file(mock_smtp):
"""Does sendmail work properly with simple SMTP mail servers using file configuration"""
app = create_ctfd()
with app.app_context():
app.config["MAIL_SERVER"] = "localhost"
app.config["MAIL_PORT"] = "25"
app.config["MAIL_USEAUTH"] = "True"
app.config["MAIL_USERNAME"] = "******"
app.config["MAIL_PASSWORD"] = "******"
ctf_name = get_config("ctf_name")
from_addr = get_config("mailfrom_addr") or app.config.get(
"MAILFROM_ADDR")
from_addr = "{} <{}>".format(ctf_name, from_addr)
to_addr = "*****@*****.**"
msg = "this is a test"
sendmail(to_addr, msg)
ctf_name = get_config("ctf_name")
if six.PY2:
email_msg = MIMEText(msg)
else:
email_msg = EmailMessage()
email_msg.set_content(msg)
email_msg["Subject"] = "Message from {0}".format(ctf_name)
email_msg["From"] = from_addr
email_msg["To"] = to_addr
if six.PY2:
mock_smtp.return_value.sendmail.assert_called_with(
from_addr, [to_addr], email_msg.as_string())
else:
mock_smtp.return_value.send_message.assert_called()
assert str(mock_smtp.return_value.send_message.call_args[0]
[0]) == str(email_msg)
destroy_ctfd(app)
def test_api_hint_admin_access():
"""Can the users patch/delete /api/v1/hint/<hint_id> if not admin"""
app = create_ctfd()
with app.app_context():
chal = gen_challenge(app.db)
gen_hint(app.db,
chal.id,
content="This is a hint",
cost=1,
type="standard")
admin = login_as_user(app, "admin")
register_user(app)
client = login_as_user(app)
r = client.patch("/api/v1/hints/1", json="")
assert r.status_code == 403
r = client.delete("/api/v1/hints/1", json="")
assert r.status_code == 403
r_admin = admin.patch("/api/v1/hints/1", json={"cost": 2})
assert r_admin.status_code == 200
r_admin = admin.delete("/api/v1/hints/1", json="")
assert r_admin.status_code == 200
destroy_ctfd(app)
def test_api_team_disbanding_disabled():
"""Test that team disbanding can be disabled"""
app = create_ctfd(user_mode="teams")
with app.app_context():
set_config("team_disbanding", "disabled")
team = gen_team(app.db)
captain = Users.query.filter_by(id=team.captain_id).first()
app.db.session.commit()
with login_as_user(app, name=captain.name) as client:
r = client.delete("/api/v1/teams/me", json="")
assert r.status_code == 403
assert r.get_json() == {
"success": False,
"errors": {
"": ["Team disbanding is currently disabled"]
},
}
set_config("team_disbanding", "inactive_only")
with login_as_user(app, name=captain.name) as client:
r = client.delete("/api/v1/teams/me", json="")
assert r.status_code == 200
destroy_ctfd(app)
def test_api_page_patch_admin():
"""Can a user patch /api/v1/pages/<page_id> if admin"""
app = create_ctfd()
with app.app_context():
gen_page(app.db, title="title", route="/route", content="content")
with login_as_user(app, "admin") as client:
with client.session_transaction() as sess:
nonce = sess.get("nonce")
r = client.patch(
"/api/v1/pages/2",
json={
"title": "Title",
"route": "/route",
"content": "content_edit",
"id": "2",
"nonce": nonce,
"auth_required": False,
},
)
assert r.status_code == 200
assert r.get_json()["data"]["content"] == "content_edit"
destroy_ctfd(app)
def test_page_requiring_auth():
"""Test that pages properly require authentication"""
app = create_ctfd()
with app.app_context():
gen_page(
app.db,
title="Title",
route="this-is-a-route",
content="This is some HTML",
auth_required=True,
)
with app.test_client() as client:
r = client.get("/this-is-a-route")
assert r.status_code == 302
assert r.location == "http://localhost/login?next=%2Fthis-is-a-route%3F"
register_user(app)
client = login_as_user(app)
r = client.get("/this-is-a-route")
assert r.status_code == 200
destroy_ctfd(app)
def test_register_user_page_menu_bar():
"""
Test that the register_user_page_menu_bar() properly inserts into HTML and get_user_page_menu_bar() returns the
proper list.
"""
app = create_ctfd()
with app.app_context():
register_user_page_menu_bar(
title="test_user_menu_link", route="/test_user_href"
)
with app.test_client() as client:
r = client.get("/")
output = r.get_data(as_text=True)
assert "/test_user_href" in output
assert "test_user_menu_link" in output
menu_item = get_user_page_menu_bar()[0]
assert menu_item.title == "test_user_menu_link"
assert menu_item.route == "/test_user_href"
destroy_ctfd(app)
