|
| 1 | +2.1.0 / 2019-04-24 |
| 2 | +================== |
| 3 | + |
| 4 | +**General** |
| 5 | +* Remove Flask-SocketIO in favor of custom Server Side Events code |
| 6 | + * Removed the Flask-SocketIO dependency and removed all related code. See **Deployment** section. |
| 7 | + * Added EventSource polyfill from Yaffle/EventSource |
| 8 | + * Events are now rate-limited and only availble to authenticated users |
| 9 | + * This means real time notifications will only appear to authenticated users |
| 10 | + * Browser localStorage is now used to dictate which tab will maintain the persistent connection to the `/events` endpoint |
| 11 | + * Thanks to https://gist.github.com/neilj/4146038 |
| 12 | + * Notifications (currently the only use of the events code) now appear with a notification sound |
| 13 | + * Thanks to [Terrence Martin](https://soundcloud.com/tj-martin-composer) for the sound |
| 14 | +* Added UI to delete and download files from the media library |
| 15 | +* Progress bars have been added to some actions which could take time |
| 16 | + * To file uploads on challenge page |
| 17 | + * To file uploads on the page editor page |
| 18 | + * To the import CTF functionality |
| 19 | +* Challenge file downloads now require a token to download |
| 20 | + * `/files/<path>` now accepts a `?token=` parameter which is a serialized version of `{user_id: <>, team_id: <>, file_id: <>}` |
| 21 | + * If any of these sections are invalid or the user/team is banned the download is blocked |
| 22 | + * This allows files to be downloaded via `curl` or `wget` (i.e. without cookie authentication) |
| 23 | +* Added a team captain concept. Team captains can edit team information such as name, team password, website, etc. |
| 24 | + * Only captains can change their team's captain |
| 25 | + * Captains are the first to join the team. But they can be transferred to the true captain later on |
| 26 | +* Cache `/api/v1/scoreboard` and `/api/v1/scoreboard/top/[count]` |
| 27 | + * Adds `cache.make_cache_key` because Flask-Caching is unable to cleanly determine the endpoint for Flask-Restplus |
| 28 | + * This helper may change in a future release or be deprecated by an improvement in Flask-Caching |
| 29 | +* Properly load hidden and banned properties in the admin team edit modal |
| 30 | +* Adds a hover color change on table rows in the admin panel. |
| 31 | + * If a table row specifies the `data-href` attribute it will become clickable |
| 32 | +* Add a simple Makefile to wrap some basic commands |
| 33 | + * make lint: lint the code base |
| 34 | + * make test: test the code base |
| 35 | + * make serve: create a debug application server |
| 36 | + * make shell: create a Python shell with the application preloaded |
| 37 | +* Started work on a Sphinx documentation site available at [https://docs.ctfd.io](https://docs.ctfd.io) |
| 38 | + |
| 39 | +**Dependencies** |
| 40 | +* Upgraded `SQLAlchemy` to 1.3.3 for proper JSON columns in SQLite |
| 41 | +* Pin `Werkzeug==0.15.2` in requirements.txt |
| 42 | +* Flask-Profiler added to `serve.py --profile` |
| 43 | + |
| 44 | +**Models** |
| 45 | +* Awards table now has a `type` column which is used as a polymorphic identity |
| 46 | +* Add `Teams.captain_id` column to Teams table |
| 47 | + |
| 48 | +**API** |
| 49 | +* Added /api/v1/teams/[team_id]/members |
| 50 | +* Cache `/api/v1/scoreboard` and `/api/v1/scoreboard/top/[count]` |
| 51 | + * Adds `cache.make_cache_key` because Flask-Caching is unable to cleanly determine the endpoint for Flask-Restplus |
| 52 | + * This helper may change in a future release or be deprecated by an improvement in Flask-Caching |
| 53 | +* Add `/api/v1/users?notify=true` to email user & password after creating new account |
| 54 | +* Fix issue where admins could not modify their own profile or their own team |
| 55 | + |
| 56 | +**Plugins** |
| 57 | +* `CTFd.utils.security.passwords` deprecated and now available at `CTFd.utils.crypto` |
| 58 | +* Built-in challenge plugins now linkify challenge text properly |
| 59 | +* Challenge type plugins do not have to append `script_root` to file downloads anymore as that will now be managed by the API |
| 60 | +* Awards are now polymorphic and subtables can be created for them |
| 61 | + |
| 62 | +**Themes** |
| 63 | +* Fix spelling mistake in `500.html` |
| 64 | +* Removed `socket.io.min.js` from `base.html` |
| 65 | +* Added EventSource polyfill from Yaffle/EventSource |
| 66 | +* Added `howler.js` to play notification sounds |
| 67 | +* Vendored/duplicated files which were shared between the `admin` and `core` themes have been de-duped |
| 68 | + * The files used in the `core` theme should now be considered free to use by other themes |
| 69 | +* CTF start and end times are now injected into `base.html` and available in the `CTFd.js` object |
| 70 | +* Register page now properly says "User Name" instead of "Team Name" since only users can see the Register page |
| 71 | +* Users and Teams pages now use a public and private page. |
| 72 | + * user.html -> users/public.html and users/private.html |
| 73 | + * team.html -> teams/public.html and teams/private.html |
| 74 | +* Separate `admin/templates/modals/users/create.html` into `admin/templates/modals/users/edit.html` |
| 75 | + |
| 76 | +**Exports** |
| 77 | +* Exports will now properly export JSON for all JSON columns |
| 78 | + * In some configurations the column would be exported as a string. |
| 79 | + * Legacy string columns will still be imported properly. |
| 80 | +* Exports from old 2.x CTFd versions should upgrade and be installed properly |
| 81 | + * Any failure to do so should be considered a bug |
| 82 | + |
| 83 | +**Deployment** |
| 84 | +* User is no longer `root` in Docker image |
| 85 | + * Errors in writing log files will now fail silently as we expect a future rewrite |
| 86 | + * Logs will now also go to stdout |
| 87 | +* Update Dockerfile to create and chown/chmod the folders used by `docker-compose` to store files/logs (`/var/log/CTFd`, `/var/uploads`) |
| 88 | + * This allows the container to write to the folder despite it being a volume mounted from the host |
| 89 | +* Default worker changed back to `gevent` |
| 90 | +* Worker count set to 4 and document updated to reflect that you must set a `SECRET_KEY` |
| 91 | +* Removed Flask-SocketIO dependency |
| 92 | + * Removed the `SOCKETIO_ASYNC_MODE` config |
| 93 | +* `gevent` is now required to allow the Server Sent Events client polling code to work |
| 94 | + * If you use the provided `wsgi.py` or `gevent` gunicorn workers, there shouldn't be any issues |
| 95 | +* Cache `/api/v1/scoreboard` and `/api/v1/scoreboard/top/[count]` which is invalidated on new solves or every minute |
| 96 | + |
| 97 | +**Configuration** |
| 98 | +* Added `SWAGGER_UI` setting to config.py to control the existence of the `/api/v1/` Swagger UI documentation |
| 99 | +* Removed the `SOCKETIO_ASYNC_MODE` config |
| 100 | +* Renamed docstring that referenced `SQLALCHEMY_DATABASE_URI` to `DATABASE_URL` |
| 101 | +* The `REVERSE_PROXY` configuration can be set to `True` or to a comma seperated string of integers (e.g. `1,1,1,1,1`) |
| 102 | + * See https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix/#werkzeug.middleware.proxy_fix.ProxyFix |
| 103 | + * For example to configure `x_for=1, x_proto=1, x_host=1, x_port=1, x_prefix=1` specify `1,1,1,1,1` |
| 104 | + |
| 105 | +**Tests** |
| 106 | +* Tests are now executed in parallel |
| 107 | + * When using a non-memory database, test helpers will now randomize the database name to be able to parallelize execution |
| 108 | +* Test tool switched from `nosetests` to `pytest` |
| 109 | +* Lint tool switched from `pycodestyle` to `flake8` |
| 110 | +* Basic security checking added using `bandit` |
| 111 | +* Allow `create_ctfd()` test helper to take app configuration as an argument |
| 112 | + |
| 113 | + |
1 | 114 | 2.0.6 / 2019-04-08 |
2 | 115 | ================== |
3 | 116 |
|
|
0 commit comments