Clarify Score Visibility and Account Visibility (CTFd#2227)

* Don't show /scoreboard if we do not have account_visibility * Clarify the behavior of Score Visibility with respect to Account Visibility
nimah79 · Dec 3, 2022 · 800fb82 · 800fb82
1 parent 7e575a2
commit 800fb82
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 21 deletions.
diff --git a/CTFd/scoreboard.py b/CTFd/scoreboard.py
@@ -2,7 +2,10 @@
 
 from CTFd.utils import config
 from CTFd.utils.config.visibility import scores_visible
-from CTFd.utils.decorators.visibility import check_score_visibility
+from CTFd.utils.decorators.visibility import (
+    check_account_visibility,
+    check_score_visibility,
+)
 from CTFd.utils.helpers import get_infos
 from CTFd.utils.scores import get_standings
 from CTFd.utils.user import is_admin
@@ -11,6 +14,7 @@
 
 
 @scoreboard.route("/scoreboard")
+@check_account_visibility
 @check_score_visibility
 def listing():
     infos = get_infos()

diff --git a/CTFd/themes/admin/templates/configs/settings.html b/CTFd/themes/admin/templates/configs/settings.html
@@ -22,50 +22,49 @@
 
 		<div class="form-group">
 			<label>
-				Score Visibility<br>
+				Account Visibility<br>
 				<small class="form-text text-muted">
-					Control whether solves/score are shown to the public, to logged in users, hidden to all non-admins, or only shown to admins
+					Control whether accounts (users &amp; teams) are shown to everyone, only to authenticated users, or only to admins
 				</small>
 			</label>
-			<select class="form-control custom-select" name="score_visibility">
-				<option value="public" {% if score_visibility == 'public' %}selected{% endif %}>
+			<select class="form-control custom-select" name="account_visibility">
+				<option value="public" {% if account_visibility == 'public' %}selected{% endif %}>
 					Public
 				</option>
-				<option value="private" {% if score_visibility == 'private' %}selected{% endif %}>
+				<option value="private" {% if account_visibility == 'private' %}selected{% endif %}>
 					Private
 				</option>
-				<option value="hidden" {% if score_visibility == 'hidden' %}selected{% endif %}>
-					Hidden
-				</option>
-				<option value="admins" {% if score_visibility == 'admins' %}selected{% endif %}>
+				<option value="admins" {% if account_visibility == 'admins' %}selected{% endif %}>
 					Admins Only
 				</option>
 			</select>
-			<small class="form-text text-muted">
-				This setting should generally be the same as Account Visibility to avoid conflicts.
-			</small>
 		</div>
 
 		<div class="form-group">
 			<label>
-				Account Visibility<br>
+				Score Visibility<br>
 				<small class="form-text text-muted">
-					Control whether accounts (users &amp; teams) are shown to everyone, only to authenticated users, or only to admins
+					Control whether solves/score are shown to the public, to logged in users, hidden to all non-admins, or only shown to admins
 				</small>
 			</label>
-			<select class="form-control custom-select" name="account_visibility">
-				<option value="public" {% if account_visibility == 'public' %}selected{% endif %}>
+			<select class="form-control custom-select" name="score_visibility">
+				<option value="public" {% if score_visibility == 'public' %}selected{% endif %}>
 					Public
 				</option>
-				<option value="private" {% if account_visibility == 'private' %}selected{% endif %}>
+				<option value="private" {% if score_visibility == 'private' %}selected{% endif %}>
 					Private
 				</option>
-				<option value="admins" {% if account_visibility == 'admins' %}selected{% endif %}>
+				<option value="hidden" {% if score_visibility == 'hidden' %}selected{% endif %}>
+					Hidden
+				</option>
+				<option value="admins" {% if score_visibility == 'admins' %}selected{% endif %}>
 					Admins Only
 				</option>
 			</select>
 			<small class="form-text text-muted">
-				This setting should generally be the same as Score Visibility to avoid conflicts.
+				Score Visibility is a subset of Account Visibility. 
+				This means that if accounts are visible to a user then score visibility will control whether they can see the score of that user. 
+				If accounts are not visibile then score visibility has no effect.
 			</small>
 		</div>
 

diff --git a/CTFd/themes/core/templates/components/navbar.html b/CTFd/themes/core/templates/components/navbar.html
@@ -30,7 +30,7 @@
                     {% endif %}
                 {% endif %}
 
-                {% if Configs.score_visibility != 'admins' %}
+                {% if Configs.account_visibility != 'admins' and Configs.score_visibility != 'admins' %}
                     <li class="nav-item">
                         <a class="nav-link" href="{{ url_for('scoreboard.listing') }}">Scoreboard</a>
                     </li>