From 3d86f21ba2237a05039c5bb3dde1b2edce36a158 Mon Sep 17 00:00:00 2001
From: Danhia <danhia@protonmail.com>
Date: Fri, 1 Sep 2023 11:07:13 +0200
Subject: [PATCH] add forbidden characters in teamname to avoir error 500

---
 src/events/templates/events/create_team.html |  3 +++
 src/events/views/teams.py                    | 28 ++++++++++++--------
 2 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/src/events/templates/events/create_team.html b/src/events/templates/events/create_team.html
index 7db2921..de3bd3a 100644
--- a/src/events/templates/events/create_team.html
+++ b/src/events/templates/events/create_team.html
@@ -16,6 +16,9 @@
                     {% if registered == False %}
                     <span class="message error-msg">{% trans "You need to be registered to the event." %}</span>
                     {% else %}
+                    {% if invalid == True %}
+                    <span class="message error-msg">{% trans "Invalid characters in name" %}</span>
+                    {% endif %}
                     {% if exist == True %}
                     <span class="message error-msg">{% trans "Name already taken." %}</span>
                     {% endif %}
diff --git a/src/events/views/teams.py b/src/events/views/teams.py
index b2c1af8..85bfde2 100644
--- a/src/events/views/teams.py
+++ b/src/events/views/teams.py
@@ -13,10 +13,13 @@ from random import randint
 def create_team(request, event_slug):
 	ev			=   get_object_or_404(Event, slug=event_slug)
 	if request.method == 'POST':
+		teamname = request.POST.get('teamname')
 		if request.user.is_authenticated and ev.team_size > 1:
-			if Team.objects.filter(name=request.POST.get('teamname'), event=ev).exists():
+			if any(c in set('./') for c in teamname):
+				return render(request, 'events/create_team.html', {'event' : ev, 'logged': True, 'wrongpwd': False, 'registered' : True, 'exist' : False, 'invalid' : True})
+			if Team.objects.filter(name=teamname, event=ev).exists():
 				return render(request, 'events/create_team.html', {'event' : ev, 'logged': True, 'wrongpwd': False, 'registered' : True, 'exist' : True})
-			new = Team(name=request.POST.get('teamname'), password=request.POST.get('password'), event=ev)
+			new = Team(name=teamname, password=request.POST.get('password'), event=ev)
 			new.save()
 			player = EventPlayer.objects.get(user=request.user, event=ev)
 			player.team = new
@@ -115,9 +118,10 @@ def manage_team(request, event_slug):
 			pname = p_form.cleaned_data['name']
 			if pname == tname:
 				pass
-			else:
-				if Team.objects.filter(name=pname, event=event_info).exists():
-					error = _("Name already taken.")
+			elif any(c in set('./') for c in pname):
+				error = _("Invalid characters in name")
+			elif Team.objects.filter(name=pname, event=event_info).exists():
+				error = _("Name already taken.")
 			ppassword = p_form.cleaned_data['password']
 			if error is None:
 				p_form.save()
@@ -137,18 +141,20 @@ def leave_team(request, event_slug):
 	player		= 	EventPlayer.objects.get(user=request.user, event=event_info)
 	team		=	Team.objects.get(event=event_info, name=player.team.name)
 
-	team.score -= player.score
-	team.save()
 	player.team = None
+	player.save()
+	members		=	EventPlayer.objects.filter(team=team, event=event_info)
+	if members.count() == 0:
+		team.delete()
+	else:
+		team.score -= player.score
+		team.save()
+	
 	solved = CTF_flags.objects.filter(user=player.user, ctf__event=event_info)
 	player.score = 0
 	solved.delete()
 	player.save()
 
-	members		=	EventPlayer.objects.filter(team=team, event=event_info)
-	if members.count() == 0:
-		team.delete()
-
 	return redirect('events:event_info', event_slug=event_slug)
 
 @login_required
-- 
2.40.1