Hidden admin team by default (CTFd#2150)

* When admins create teams in the normal creation flow, the team will be hidden by default * Closes CTFd#2144
manushadilan · Jun 29, 2022 · 3b39a9e · 3b39a9e
1 parent a2c81cb
commit 3b39a9e
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 2 deletions.
diff --git a/CTFd/teams.py b/CTFd/teams.py
@@ -278,7 +278,14 @@ def new():
         if errors:
             return render_template("teams/new_team.html", errors=errors), 403
 
-        team = Teams(name=teamname, password=passphrase, captain_id=user.id)
+        # Hide the created team if the creator is an admin
+        hidden = False
+        if user.type == "admin":
+            hidden = True
+
+        team = Teams(
+            name=teamname, password=passphrase, captain_id=user.id, hidden=hidden
+        )
 
         if website:
             team.website = website

diff --git a/tests/teams/test_auth.py b/tests/teams/test_auth.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 
-from CTFd.models import Users, db
+from CTFd.models import Teams, Users, db
 from tests.helpers import (
     create_ctfd,
     destroy_ctfd,
@@ -210,3 +210,36 @@ def test_teams_new_post_when_already_on_team():
             user = Users.query.filter_by(name="user").first()
             assert user.team.name == "team1"
     destroy_ctfd(app)
+
+
+def test_teams_from_admin_hidden():
+    """Test that teams created by admins in /teams/new are hidden by default"""
+    app = create_ctfd(user_mode="teams")
+    with app.app_context():
+        gen_user(app.db, name="user")
+        with login_as_user(app) as client:
+            with client.session_transaction() as sess:
+                data = {
+                    "name": "team_user",
+                    "password": "password",
+                    "nonce": sess.get("nonce"),
+                }
+            r = client.post("/teams/new", data=data)
+            assert r.status_code == 302
+
+            team = Teams.query.filter_by(name="team_user").first()
+            assert team.hidden == False
+
+        with login_as_user(app, "admin") as client:
+            with client.session_transaction() as sess:
+                data = {
+                    "name": "team_admin",
+                    "password": "password",
+                    "nonce": sess.get("nonce"),
+                }
+            r = client.post("/teams/new", data=data)
+            assert r.status_code == 302
+
+            team = Teams.query.filter_by(name="team_admin").first()
+            assert team.hidden == True
+    destroy_ctfd(app)