Fix download with auth token fail after ctf (458ce2e) (CTFd#2011)

* Fix issue where unauthed users couldn't download challenge files after CTF end but viewing after CTF was enabled
manushadilan · Mar 7, 2022 · a868faf · a868faf
1 parent de6f8e0
commit a868faf
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/CTFd/views.py b/CTFd/views.py
@@ -409,8 +409,17 @@ def files(path):
                     else:
                         abort(403)
         else:
+            # User cannot view challenges based on challenge visibility
+            # e.g. ctf requires registration but user isn't authed or
+            # ctf requires admin account but user isn't admin
             if not ctftime():
-                abort(403)
+                # It's not CTF time. The only edge case is if the CTF is ended
+                # but we have view_after_ctf enabled
+                if ctf_ended() and view_after_ctf():
+                    pass
+                else:
+                    # In all other situations we should block challenge files
+                    abort(403)
 
             # Allow downloads if a valid token is provided
             token = request.args.get("token", "")

diff --git a/tests/test_views.py b/tests/test_views.py
@@ -383,6 +383,19 @@ def test_user_can_access_files_with_auth_token():
                         r = admin.get(file_url)
                         assert r.status_code == 200
                         assert r.get_data(as_text=True) == "testing file load"
+
+                with freeze_time("2017-10-7"):
+                    # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
+                    set_config("end", "1507262400")
+                    set_config("view_after_ctf", True)
+                    for v in ("public", "private"):
+                        set_config("challenge_visibility", v)
+
+                        # Unauthed users should be able to download if view_after_ctf
+                        client = app.test_client()
+                        r = client.get(file_url)
+                        assert r.status_code == 200
+                        assert r.get_data(as_text=True) == "testing file load"
         finally:
             rmdir(directory)
     destroy_ctfd(app)
@@ -428,6 +441,12 @@ def test_user_can_access_files_if_view_after_ctf():
                     r = client.get(file_url)
                     assert r.status_code == 200
                     assert r.get_data(as_text=True) == "testing file load"
+
+                    # Unauthed users should be able to download if view_after_ctf
+                    client = app.test_client()
+                    r = client.get(file_url)
+                    assert r.status_code == 200
+                    assert r.get_data(as_text=True) == "testing file load"
         finally:
             rmdir(directory)