-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtest_users.py
97 lines (80 loc) · 3.42 KB
/
test_users.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from CTFd.models import Users
from tests.helpers import (
create_ctfd,
destroy_ctfd,
gen_award,
login_as_user,
register_user,
)
def test_accessing_hidden_users():
"""Hidden users should not give any data from /users or /api/v1/users"""
app = create_ctfd()
with app.app_context():
register_user(
app, name="visible_user", email="[email protected]"
) # ID 2
register_user(
app, name="hidden_user", email="[email protected]"
) # ID 3
register_user(
app, name="banned_user", email="[email protected]"
) # ID 4
user = Users.query.filter_by(name="hidden_user").first()
user.hidden = True
app.db.session.commit()
user = Users.query.filter_by(name="banned_user").first()
user.banned = True
app.db.session.commit()
with login_as_user(app, name="visible_user") as client:
assert client.get("/users/3").status_code == 404
assert client.get("/api/v1/users/3").status_code == 404
assert client.get("/api/v1/users/3/solves").status_code == 404
assert client.get("/api/v1/users/3/fails").status_code == 404
assert client.get("/api/v1/users/3/awards").status_code == 404
assert client.get("/users/4").status_code == 404
assert client.get("/api/v1/users/4").status_code == 404
assert client.get("/api/v1/users/4/solves").status_code == 404
assert client.get("/api/v1/users/4/fails").status_code == 404
assert client.get("/api/v1/users/4/awards").status_code == 404
destroy_ctfd(app)
def test_hidden_user_visibility():
"""Hidden users should not show up on /users or /api/v1/users or /api/v1/scoreboard"""
app = create_ctfd()
with app.app_context():
register_user(app, name="hidden_user")
with login_as_user(app, name="hidden_user") as client:
user = Users.query.filter_by(id=2).first()
user_id = user.id
user_name = user.name
user.hidden = True
app.db.session.commit()
r = client.get("/users")
response = r.get_data(as_text=True)
assert user_name not in response
r = client.get("/api/v1/users")
response = r.get_json()
assert user_name not in response
gen_award(app.db, user_id)
r = client.get("/scoreboard")
response = r.get_data(as_text=True)
assert user_name not in response
r = client.get("/api/v1/scoreboard")
response = r.get_json()
assert user_name not in response
# User should re-appear after disabling hiding
# Use an API call to cause a cache clear
with login_as_user(app, name="admin") as admin:
r = admin.patch("/api/v1/users/2", json={"hidden": False})
assert r.status_code == 200
r = client.get("/users")
response = r.get_data(as_text=True)
assert user_name in response
r = client.get("/api/v1/users")
response = r.get_data(as_text=True)
assert user_name in response
r = client.get("/api/v1/scoreboard")
response = r.get_data(as_text=True)
assert user_name in response
destroy_ctfd(app)