When unlocking a hint, always use an accounts true score and not their public visible score (CTFd#2441)

ColdHeat · web-flow · commit 76f9fdf06bfa · 2023-12-14T18:03:21.000-05:00
* When unlocking a hint, always use an accounts true score and not their publicly visible score
diff --git a/CTFd/api/v1/unlocks.py b/CTFd/api/v1/unlocks.py
@@ -109,7 +109,8 @@ def post(self):
 
         # We should use the team's score if in teams mode
         # user.account gives the appropriate account based on team mode
-        if target.cost > user.account.score:
+        # Use get_score with admin to get the account's full score value
+        if target.cost > user.account.get_score(admin=True):
             return (
                 {
                     "success": False,

Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,8 @@ def post(self):`
`109`	`109`
`110`	`110`	`# We should use the team's score if in teams mode`
`111`	`111`	`# user.account gives the appropriate account based on team mode`
`112`		`- if target.cost > user.account.score:`
	`112`	`+ # Use get_score with admin to get the account's full score value`
	`113`	`+ if target.cost > user.account.get_score(admin=True):`
`113`	`114`	`return (`
`114`	`115`	`{`
`115`	`116`	`"success": False,`