From 3d86f21ba2237a05039c5bb3dde1b2edce36a158 Mon Sep 17 00:00:00 2001 From: Danhia Date: Fri, 1 Sep 2023 11:07:13 +0200 Subject: [PATCH] add forbidden characters in teamname to avoir error 500 --- src/events/templates/events/create_team.html | 3 +++ src/events/views/teams.py | 28 ++++++++++++-------- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/src/events/templates/events/create_team.html b/src/events/templates/events/create_team.html index 7db2921..de3bd3a 100644 --- a/src/events/templates/events/create_team.html +++ b/src/events/templates/events/create_team.html @@ -16,6 +16,9 @@ {% if registered == False %} {% trans "You need to be registered to the event." %} {% else %} + {% if invalid == True %} + {% trans "Invalid characters in name" %} + {% endif %} {% if exist == True %} {% trans "Name already taken." %} {% endif %} diff --git a/src/events/views/teams.py b/src/events/views/teams.py index b2c1af8..85bfde2 100644 --- a/src/events/views/teams.py +++ b/src/events/views/teams.py @@ -13,10 +13,13 @@ from random import randint def create_team(request, event_slug): ev = get_object_or_404(Event, slug=event_slug) if request.method == 'POST': + teamname = request.POST.get('teamname') if request.user.is_authenticated and ev.team_size > 1: - if Team.objects.filter(name=request.POST.get('teamname'), event=ev).exists(): + if any(c in set('./') for c in teamname): + return render(request, 'events/create_team.html', {'event' : ev, 'logged': True, 'wrongpwd': False, 'registered' : True, 'exist' : False, 'invalid' : True}) + if Team.objects.filter(name=teamname, event=ev).exists(): return render(request, 'events/create_team.html', {'event' : ev, 'logged': True, 'wrongpwd': False, 'registered' : True, 'exist' : True}) - new = Team(name=request.POST.get('teamname'), password=request.POST.get('password'), event=ev) + new = Team(name=teamname, password=request.POST.get('password'), event=ev) new.save() player = EventPlayer.objects.get(user=request.user, event=ev) player.team = new @@ -115,9 +118,10 @@ def manage_team(request, event_slug): pname = p_form.cleaned_data['name'] if pname == tname: pass - else: - if Team.objects.filter(name=pname, event=event_info).exists(): - error = _("Name already taken.") + elif any(c in set('./') for c in pname): + error = _("Invalid characters in name") + elif Team.objects.filter(name=pname, event=event_info).exists(): + error = _("Name already taken.") ppassword = p_form.cleaned_data['password'] if error is None: p_form.save() @@ -137,18 +141,20 @@ def leave_team(request, event_slug): player = EventPlayer.objects.get(user=request.user, event=event_info) team = Team.objects.get(event=event_info, name=player.team.name) - team.score -= player.score - team.save() player.team = None + player.save() + members = EventPlayer.objects.filter(team=team, event=event_info) + if members.count() == 0: + team.delete() + else: + team.score -= player.score + team.save() + solved = CTF_flags.objects.filter(user=player.user, ctf__event=event_info) player.score = 0 solved.delete() player.save() - members = EventPlayer.objects.filter(team=team, event=event_info) - if members.count() == 0: - team.delete() - return redirect('events:event_info', event_slug=event_slug) @login_required