3.2.0 / 2020-12-07
General
- Add Team invites.
- Team invites are links containing a token that allow a user to join a team without knowing the team password
- Captains can generate invite tokens for their teams
- Admins can generate Team invite links as well
- Improved Team handling
- Prevent team joining while already on a team
- Return 403 instead of 200 for team join/create errors
- Allow team captains whose teams haven't done anything to disband their team
- Allow for uploading navbar logo, favicon, and index page banner during initial setup
- Fixed issue in teams mode where a user couldn't unlock a hint despite their team having enough points
- The fix for this is essentially to allow the user's points to go negative
- Imports have been made more stable
- This is primarily done by killing MySQL processes that are locking metadta
- This is a subpar approach but it seems to be the only solution to avoid a metadata lock in MySQL. This approach did not appear to be needed under Postgres or SQLite
API
- Addition of
POST /api/v1/teams/me/members
to generate invite tokens for teams - Fixed an issue in
POST /api/v1/awards
where CTFd would 500 when a user could not be found by the provideduser_id
POST /api/v1/unlocks
in teams mode now uses the team's score to determine if a user can purchase a hint- Properly check for existing unlocks in teams mode in
POST /api/v1/unlocks
- Properly check for existing unlocks in teams mode in
/api/v1/notifications
and/api/v1/notifications/[notification_id]
now have an html parameter which specifies the rendered content of the notification content
Themes
- Add Team Invite icon and Disband Team icon to teams/private.html
- Add teams/invite.html file to handle team joining with invites
- Added syntax highlighting to challenge descriptions, pages, hints, notifications, comments, and markdown editors
- This is done with
highlight.js
which has been added topackage.json
- This is done with
- Fix notifications to properly fix/support Markdown and HTML notifications
- Notifications SQL Model now has an html propery
- Notifications API schemas now has an html field
- Removed MomentJS (see https://momentjs.com/docs/#/-project-status/) in favor of dayjs
- dayjs is mostly API compatible with MomentJS. The only major changes were:
- dayjs always uses browser local time so you don't need to call
.local()
- dayjs segments out some MomentJS functionality into plugins which need to be imported in before using those features
- dayjs always uses browser local time so you don't need to call
- dayjs is mostly API compatible with MomentJS. The only major changes were:
- Fixed issue in
challenge.html
where the current attempt count would have a typo - Fixed issue in
challenge.html
where the max attempts for a challenge would not show if it was set to 1 - Edit donut charts to have easier to read legends and labels
- Make data zoom bars thinner and more transparent
- Add logo, banner, and favicon settings to the setup.html
Plugins
- The
auth.register
(/register
) endpoint now accepts a?next=
parameter to define where to redirect to after registration - There is now a
registered_only
decorator to redirect users toauth.register
(/register
) instead ofauth.login
(/login
) - Don't run
db.create_all()
as much during plugin upgrade or during imports- By avoiding this we can let alembic and migrations do more of the table creation work but this means that plugins specifically opt into
app.db.create_all()
and will not implicitly get it throughupgrade()
. - This means plugins that run
upgrade()
without a migrations folder (no idea who would do this really) will need to upgrade their code.
- By avoiding this we can let alembic and migrations do more of the table creation work but this means that plugins specifically opt into
- The plugin
upgrade()
function now accepts alower
parameter which specifies what lower revision should be used to start from.- This is used to support plugin migrations during import so that we can import data directly at the point that the import was taken from
lower="current"
means to use the current revision andlower=None
would mean to use the absolute base revision (e.g. plugin's first installation)- By default this doesn't change
upgrade()
behavior
Admin Panel
- Add Favicon uploading to the Admin Panel
- Move Logo uploading to the Theme tab in the Admin Panel
- The challenge left side bar tabs have been rewritten into VueJS components.
- This fixes a number of issues with the consistency of what data is deleted/edited in the challenge editor
- This also prevents having to refresh the page in most challenge editing situations
- Fixed a possible bug where the update available alert wouldn't go away on server restart
- Examples for regex flags are now provided
- Wrong submissions has been renamed to Incorrect Submissions
- Graphs in the Admin Statistics page will now scroll with mouse wheel to improve browsing large datasets
- Fixed an issue where Users/Teams could be created with a null password
Deployment
- A restart policy set to
always
has been added to nginx in docker-compose - Rename
requirements.txt
torequirements.in
and generaterequirements.txt
usingpip-tools
under Python 3.6 UPLOAD_PROVIDER
no longer has a defaultfilesystem
set in config.ini. Instead it is defaulted throughconfig.py
Miscellaneous
- The
psycopg2
dependency in development.txt has been removed in favor ofpsycopg2-binary
which was updated to 2.8.6 - The
moto
dependency in development.txt has been updated to 1.3.16 - Add
pip-tools
todevelopment.txt
- Add
import_ctf
andexport_ctf
commands tomanage.py
and deprecateimport.py
andexport.py
- Override the
MAIL_SERVER
config with theTESTING_MAIL_SERVER
envvar during tests ping
events in the notification event handler have been fixed to not send duplicates