From 8b28f73bdbd77a3758f249cd766ef3a4d97ada64 Mon Sep 17 00:00:00 2001
From: Danhia <danhia@protonmail.com>
Date: Sun, 24 Sep 2023 15:17:49 +0200
Subject: [PATCH] added special permissions to allow a group of user to manage
 event-related objects

---
 src/ctfs/admin.py                           | 55 +++++++++++++--
 src/events/admin.py                         | 77 ++++++++++++++++++++-
 src/events/templates/events/event_info.html |  2 +-
 src/events/views/events.py                  | 75 ++++++++++----------
 4 files changed, 167 insertions(+), 42 deletions(-)

diff --git a/src/ctfs/admin.py b/src/ctfs/admin.py
index c563116..3a1a66f 100644
--- a/src/ctfs/admin.py
+++ b/src/ctfs/admin.py
@@ -2,8 +2,6 @@ from django.contrib import admin
 from .models import Category, CTF, CTF_flags
 
 admin.site.register(Category)
-#admin.site.register(CTF)
-#admin.site.register(CTF_flags)
 
 @admin.register(CTF_flags)
 class ctf_flags(admin.ModelAdmin):
@@ -14,12 +12,61 @@ class ctf_flags(admin.ModelAdmin):
     # search list
     search_fields = ['ctf__category__name', 'ctf__name', 'user__username']
 
+    def get_queryset(self, request):
+        qs = super().get_queryset(request)
+        if request.user.is_superuser:
+            return qs
+        groups = list(request.user.groups.values_list('name', flat=True))
+        return qs.filter(event__name__in=groups)
+
+    def has_view_permission(self, request, obj=None):
+        if request.user.is_superuser:
+            return True
+        if obj is not None:
+            return request.user.groups.filter(name=obj.event.name).exists()
+        return super().has_view_permission(request, obj)
+    
+    def has_change_permission(self, request, obj=None):
+        if request.user.is_superuser:
+            return True
+        if obj is not None:
+            return request.user.groups.filter(name=obj.event.name).exists()
+        return super().has_change_permission(request, obj)
+    
+    def has_delete_permission(self, request, obj=None):
+        if request.user.is_superuser:
+            return True
+        if obj is not None:
+            return request.user.groups.filter(name=obj.event.name).exists()
+        return super().has_delete_permission(request, obj)
+
 @admin.register(CTF)
 class ctf(admin.ModelAdmin):
     #list display
-    list_display = ['name', 'event', 'category']
+    list_display = ['name', 'event', 'category', 'points']
     #list Filter
     list_filter = ('category', 'event')
     # search list
     search_fields = ['category__name', 'name', 'author__username']
-# Register your models here.
+
+    def get_queryset(self, request):
+        qs = super().get_queryset(request)
+        if request.user.is_superuser:
+            return qs
+        groups = list(request.user.groups.values_list('name', flat=True))
+        return qs.filter(event__name__in=groups)
+
+    def has_view_permission(self, request, obj=None):
+        if request.user.is_superuser:
+            return True
+        if obj is not None:
+            return request.user.groups.filter(name=obj.event.name).exists()
+        return super().has_view_permission(request, obj)
+    
+    def has_change_permission(self, request, obj=None):
+        if request.user.is_superuser:
+            return True
+        if obj is not None:
+            return request.user.groups.filter(name=obj.event.name).exists()
+        return super().has_change_permission(request, obj)
+
diff --git a/src/events/admin.py b/src/events/admin.py
index e4d542f..9ac28fe 100644
--- a/src/events/admin.py
+++ b/src/events/admin.py
@@ -8,6 +8,27 @@ class event(admin.ModelAdmin):
     # search list
     search_fields = ['name', 'slug', 'description', 'password']
 
+    def get_queryset(self, request):
+        qs = super().get_queryset(request)
+        if request.user.is_superuser:
+            return qs
+        groups = list(request.user.groups.values_list('name', flat=True))
+        return qs.filter(name__in=groups)
+
+    def has_view_permission(self, request, obj=None):
+        if request.user.is_superuser:
+            return True
+        if obj is not None:
+            return request.user.groups.filter(name=obj.name).exists()
+        return super().has_view_permission(request, obj)
+
+    def has_change_permission(self, request, obj=None):
+        if request.user.is_superuser:
+            return True
+        if obj is not None:
+            return request.user.groups.filter(name=obj.name).exists()
+        return super().has_change_permission(request, obj)
+
 @admin.register(EventPlayer)
 class score(admin.ModelAdmin):
     #list display
@@ -17,7 +38,33 @@ class score(admin.ModelAdmin):
     # search list
     search_fields = ['user__username', 'score', 'event__name']
 
-# Register your models here.
+    def get_queryset(self, request):
+        qs = super().get_queryset(request)
+        if request.user.is_superuser:
+            return qs
+        groups = list(request.user.groups.values_list('name', flat=True))
+        return qs.filter(event__name__in=groups)
+    
+    def has_view_permission(self, request, obj=None):
+        if request.user.is_superuser:
+            return True
+        if obj is not None:
+            return request.user.groups.filter(name=obj.event.name).exists()
+        return super().has_view_permission(request, obj)
+
+    def has_change_permission(self, request, obj=None):
+        if request.user.is_superuser:
+            return True
+        if obj is not None:
+            return request.user.groups.filter(name=obj.event.name).exists()
+        return super().has_change_permission(request, obj)
+
+    def has_delete_permission(self, request, obj=None):
+        if request.user.is_superuser:
+            return True
+        if obj is not None:
+            return request.user.groups.filter(name=obj.event.name).exists()
+        return super().has_delete_permission(request, obj)
 
 @admin.register(Team)
 class team(admin.ModelAdmin):
@@ -28,6 +75,34 @@ class team(admin.ModelAdmin):
     # search list
     search_fields = ['name']
 
+    def get_queryset(self, request):
+        qs = super().get_queryset(request)
+        if request.user.is_superuser:
+            return qs
+        groups = list(request.user.groups.values_list('name', flat=True))
+        return qs.filter(event__name__in=groups)
+    
+    def has_view_permission(self, request, obj=None):
+        if request.user.is_superuser:
+            return True
+        if obj is not None:
+            return request.user.groups.filter(name=obj.event.name).exists()
+        return super().has_view_permission(request, obj)
+
+    def has_change_permission(self, request, obj=None):
+        if request.user.is_superuser:
+            return True
+        if obj is not None:
+            return request.user.groups.filter(name=obj.event.name).exists()
+        return super().has_change_permission(request, obj)
+    
+    def has_delete_permission(self, request, obj=None):
+        if request.user.is_superuser:
+            return True
+        if obj is not None:
+            return request.user.groups.filter(name=obj.event.name).exists()
+        return super().has_delete_permission(request, obj)
+
 @admin.register(Bonus)
 class bonus(admin.ModelAdmin):
     #list display
diff --git a/src/events/templates/events/event_info.html b/src/events/templates/events/event_info.html
index d1ed50e..1f523a8 100644
--- a/src/events/templates/events/event_info.html
+++ b/src/events/templates/events/event_info.html
@@ -26,7 +26,7 @@
         {% endif %}
       </div>
       <div class="event-footer">
-        {% if begun == True %}
+        {% if begun == True or is_event_manager == True %}
           <h4>{% trans "Challenges" %}</h4>
           
           {% if ctfs %}
diff --git a/src/events/views/events.py b/src/events/views/events.py
index 80c64f8..4049336 100644
--- a/src/events/views/events.py
+++ b/src/events/views/events.py
@@ -75,7 +75,8 @@ def chall_event_info(request, event_slug, chall_slug):
 	event_info  = get_object_or_404(Event, slug=event_slug)
 	ctf_info    = get_object_or_404(CTF, event__slug=event_info.slug, slug=chall_slug)
 
-	if timezone.now() < ctf_info.pub_date:
+	is_event_manager = request.user.groups.filter(name=event_info.name).exists() or request.user.is_superuser
+	if timezone.now() < ctf_info.pub_date and not is_event_manager:
 		return redirect('events:event_info', event_slug=event_slug)
 	eventisover = False
 	alreadyflag = False
@@ -121,53 +122,55 @@ def chall_event_info(request, event_slug, chall_slug):
 
 def event(request, event_slug):
 	event_info 			= get_object_or_404(Event, slug=event_slug)
-	IsRegistered		= False
 	wrongpwd			= False
 	alreadyregistered	= False
 	subisover			= False
+
+	is_event_manager	= request.user.groups.filter(name=event_info.name).exists() or request.user.is_superuser
+
+	ended = (timezone.now() >= event_info.end_date)
+	begun = (timezone.now() >= event_info.start_date)
+
+	if is_event_manager: # we want to see all the challenges
+		challenges  = CTF.objects.filter(event=event_info).order_by('category', 'points')
+	else:
+		challenges  = CTF.objects.filter(event=event_info, pub_date__lte=timezone.now()).order_by('category', 'points')
+
+	if event_info.team_size == 1:
+		solved_list = EventPlayer.objects.filter(event=event_info).order_by('-score', 'last_submission_date', 'user__username')
+	else:
+		solved_list = Team.objects.filter(event=event_info).order_by('-score', 'last_submission_date', 'name')
+
 	if request.GET.get('WrongPassword'):
 		wrongpwd = True
 	if request.GET.get('AlreadyRegistered'):
 		alreadyregistered = True
 	if request.GET.get('SubscriptionIsOver'):
 		subisover = True
+	
 	if request.user.is_authenticated:
 		try:
-			player = EventPlayer.objects.get(event=event_info, user=request.user)
+			EventPlayer.objects.get(event=event_info, user=request.user)
+			return render(request, 'events/event_info.html', {'event' : event_info, 'IsRegistered': True, 'ctfs': challenges, 'solved_list':solved_list,
+				'ended': ended, 'begun': begun, 'wrongpwd': wrongpwd, 'alreadyregistered': alreadyregistered, 'subisover': subisover, 'is_event_manager':is_event_manager})
 		except:
-			player = None
-		if player:
-			IsRegistered = True
-	if event_info.campus.all():
-		if request.user.is_authenticated:
-			if request.user.is_staff is False:
-				user = UserProfileInfo.objects.get(user=request.user)
-				if user.campus is None:
-					return render(request, 'events/event_pwd.html', {'event' : event_info, 'logged': True, 'wrongpwd': wrongpwd, 'alreadyregistered': alreadyregistered, 'userHasCampus': False, 'campusCanJoin': True})
-				elif user.campus not in event_info.campus.all():
-					return render(request, 'events/event_pwd.html', {'event' : event_info, 'logged': True, 'wrongpwd': wrongpwd, 'alreadyregistered': alreadyregistered, 'userHasCampus': True, 'campusCanJoin': False})
-		else:
-			return render(request, 'events/event_pwd.html', {'event' : event_info, 'logged': False, 'wrongpwd': wrongpwd, 'alreadyregistered': alreadyregistered, 'userHasCampus': True, 'campusCanJoin': True})
-	if event_info.password:
-		if request.user.is_authenticated:
-			if request.user.is_staff is False:
-				if not player:
-					return render(request, 'events/event_pwd.html', {'event' : event_info, 'logged': True, 'wrongpwd': wrongpwd, 'alreadyregistered': alreadyregistered, 'userHasCampus': True, 'campusCanJoin': True})
-		else:
-			return render(request, 'events/event_pwd.html', {'event' : event_info, 'logged': False, 'wrongpwd': wrongpwd, 'alreadyregistered': alreadyregistered, 'userHasCampus': True, 'campusCanJoin': True})
-	ended = False
-	if timezone.now() >= event_info.end_date:
-		ended = True
-	begun = False
-	if timezone.now() >= event_info.start_date:
-		begun = True
-	challenges  = CTF.objects.filter(event=event_info, pub_date__lte=timezone.now()).order_by('category', 'points')
-	if event_info.team_size == 1:
-		solved_list = EventPlayer.objects.filter(event=event_info).order_by('-score', 'last_submission_date', 'user__username')
-	else:
-		solved_list = Team.objects.filter(event=event_info).order_by('-score', 'last_submission_date', 'name')
-	return render(request, 'events/event_info.html', {'event' : event_info, 'IsRegistered': IsRegistered, 'ctfs': challenges, 'solved_list':solved_list,
-		'ended': ended, 'begun': begun, 'wrongpwd': wrongpwd, 'alreadyregistered': alreadyregistered, 'subisover': subisover})
+			pass
+
+	if (event_info.campus.all() or event_info.password) and request.user.is_authenticated is False:
+		return render(request, 'events/event_pwd.html', {'event' : event_info, 'logged': False})
+
+	if event_info.campus.all() and is_event_manager is False:
+		user = UserProfileInfo.objects.get(user=request.user)
+		if user.campus is None:
+			return render(request, 'events/event_pwd.html', {'event' : event_info, 'logged': True, 'wrongpwd': wrongpwd, 'alreadyregistered': alreadyregistered, 'userHasCampus': False, 'campusCanJoin': True})
+		elif user.campus not in event_info.campus.all():
+			return render(request, 'events/event_pwd.html', {'event' : event_info, 'logged': True, 'wrongpwd': wrongpwd, 'alreadyregistered': alreadyregistered, 'userHasCampus': True, 'campusCanJoin': False})
+	
+	if event_info.password and is_event_manager is False:
+		return render(request, 'events/event_pwd.html', {'event' : event_info, 'logged': True, 'wrongpwd': wrongpwd, 'alreadyregistered': alreadyregistered, 'userHasCampus': True, 'campusCanJoin': True})
+
+	return render(request, 'events/event_info.html', {'event' : event_info, 'ctfs': challenges, 'solved_list':solved_list, 'IsRegistered': False,
+		'ended': ended, 'begun': begun, 'wrongpwd': wrongpwd, 'alreadyregistered': alreadyregistered, 'subisover': subisover, 'is_event_manager':is_event_manager})
 
 @login_required
 def submit_event_flag(request, event_slug, chall_slug):