1092 fix solve count leak during freeze (CTFd#1095)

ColdHeat · web-flow · commit c88e0556ebd2 · 2019-08-29T23:22:24.000-04:00
* Challenges properly get solve count during freeze time * Closes CTFd#1092
diff --git a/CTFd/api/v1/challenges.py b/CTFd/api/v1/challenges.py
@@ -38,7 +38,7 @@
 from CTFd.utils.user import get_current_team
 from CTFd.utils.user import get_current_user
 from CTFd.plugins.challenges import get_chal_class
-from CTFd.utils.dates import ctf_ended, ctf_paused, ctftime
+from CTFd.utils.dates import ctf_ended, ctf_paused, ctftime, unix_time_to_utc
 from CTFd.utils.logging import log
 from CTFd.utils.security.signing import serialize
 from sqlalchemy.sql import and_
@@ -267,8 +267,14 @@ def get(self, challenge_id):
                     Model.banned == False,
                     Model.hidden == False,
                 )
-                .count()
             )
+
+            # Only show solves that happened before freeze time if configured
+            freeze = get_config("freeze")
+            if not is_admin() and freeze:
+                solves = solves.filter(Solves.date < unix_time_to_utc(freeze))
+
+            solves = solves.count()
             response["solves"] = solves
         else:
             response["solves"] = None
diff --git a/tests/api/v1/test_challenges.py b/tests/api/v1/test_challenges.py
@@ -536,14 +536,25 @@ def test_api_challenge_get_solves_ctf_frozen():
             chal2_id = chal2.id
 
         with freeze_time("2017-10-8"):
-            chal2 = gen_solve(app.db, user_id=2, challenge_id=chal2_id)
+            # User ID 2 solves Challenge ID 2
+            gen_solve(app.db, user_id=2, challenge_id=chal2_id)
+            # User ID 3 solves Challenge ID 1
+            gen_solve(app.db, user_id=3, challenge_id=chal_id)
+
+            # Challenge 1 has 2 solves
+            # Challenge 2 has 1 solve
 
             # There should now be two solves assigned to the same user.
-            assert Solves.query.count() == 2
+            assert Solves.query.count() == 3
 
             client = login_as_user(app, name="user2")
 
-            # Challenge 1 should have one solve
+            # Challenge 1 should have one solve (after freeze)
+            r = client.get("/api/v1/challenges/1")
+            data = r.get_json()["data"]
+            assert data['solves'] == 1
+
+            # Challenge 1 should have one solve (after freeze)
             r = client.get("/api/v1/challenges/1/solves")
             data = r.get_json()["data"]
             assert len(data) == 1
