Prevent users from nulling out profile values (CTFd#1125)

* Prevent users from nulling out profile values
CoenGoedegebure · Nov 8, 2019 · acbea2d · acbea2d
1 parent 34e78a8
commit acbea2d
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 0 deletions.
diff --git a/CTFd/schemas/teams.py b/CTFd/schemas/teams.py
@@ -19,13 +19,15 @@ class Meta:
         Teams,
         "name",
         required=True,
+        allow_none=False,
         validate=[
             validate.Length(min=1, max=128, error="Team names must not be empty")
         ],
     )
     email = field_for(
         Teams,
         "email",
+        allow_none=False,
         validate=validate.Email("Emails must be a properly formatted email address"),
     )
     website = field_for(

diff --git a/CTFd/schemas/users.py b/CTFd/schemas/users.py
@@ -20,13 +20,15 @@ class Meta:
         Users,
         "name",
         required=True,
+        allow_none=False,
         validate=[
             validate.Length(min=1, max=128, error="User names must not be empty")
         ],
     )
     email = field_for(
         Users,
         "email",
+        allow_none=False,
         validate=[
             validate.Email("Emails must be a properly formatted email address"),
             validate.Length(min=1, max=128, error="Emails must not be empty"),

diff --git a/tests/api/v1/test_teams.py b/tests/api/v1/test_teams.py
@@ -379,6 +379,14 @@ def test_api_team_patch_me_logged_in_admin_captain():
 
         app.db.session.commit()
         with login_as_user(app, name="admin") as client:
+            # Users can't null out their team name
+            r = client.patch(
+                "/api/v1/teams/me", json={"name": None}
+            )
+            resp = r.get_json()
+            assert r.status_code == 400
+            assert resp["errors"]["name"] == ["Field may not be null."]
+
             r = client.patch(
                 "/api/v1/teams/me", json={"name": "team_name", "affiliation": "changed"}
             )

diff --git a/tests/api/v1/test_users.py b/tests/api/v1/test_users.py
@@ -427,6 +427,13 @@ def test_api_user_change_name():
             assert resp["data"]["name"] == "user2"
             assert resp["success"] is True
 
+            r = client.patch("/api/v1/users/me", json={"name": None})
+            resp = r.get_json()
+            print(resp)
+            assert r.status_code == 400
+            assert resp["errors"]["name"] == ["Field may not be null."]
+            assert resp["success"] is False
+
             set_config("name_changes", False)
 
             r = client.patch("/api/v1/users/me", json={"name": "new_name"})
@@ -444,6 +451,32 @@ def test_api_user_change_name():
     destroy_ctfd(app)
 
 
+def test_api_user_change_email():
+    """Test that users can change their email via the API"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+        user = Users.query.filter_by(id=2).first()
+        app.db.session.commit()
+        with login_as_user(app) as client:
+            # Test users can't submit null
+            r = client.patch("/api/v1/users/me", json={"email": None, "confirm": "password"})
+            resp = r.get_json()
+            print(resp)
+            assert r.status_code == 400
+            assert resp["errors"]["email"] == ["Field may not be null."]
+
+            # Test users can exercise the API
+            r = client.patch("/api/v1/users/me", json={"email": "new_email@email.com", "confirm": "password"})
+            assert r.status_code == 200
+            resp = r.get_json()
+            assert resp["data"]["email"] == "new_email@email.com"
+            assert resp["success"] is True
+            user = Users.query.filter_by(id=2).first()
+            assert user.email == "new_email@email.com"
+    destroy_ctfd(app)
+
+
 def test_api_user_change_verify_email():
     """Test that users are marked unconfirmed if they change their email and verify_emails is turned on"""
     app = create_ctfd()