(Translated by https://www.hiragana.jp/)
automatically create hedgedoc user accounts so that edits are no longer anonymous by lanjelot · Pull Request #2 · hugsy/ctfhub · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

automatically create hedgedoc user accounts so that edits are no longer anonymous #2

Merged
merged 2 commits into from
Nov 18, 2020
Merged

automatically create hedgedoc user accounts so that edits are no longer anonymous #2

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0dc0a45
switch to hedgedoc master instead of the 9-month old 1.6.0 release
lanjelot Nov 17, 2020
cd9cafb
removed anonymous edits by automatically creating a hedgedoc user acc…
lanjelot Nov 17, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 3 additions & 10 deletions ctfpad/helpers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import pathlib
import magic
import requests
from uuid import uuid4

from ctftools.settings import (
CODIMD_URL,
Expand All @@ -9,20 +10,12 @@


def create_new_note() -> str:
""""Connects to CodiMD to create a new note, and returns its ID
""""Returns a unique note ID so that the note will be automatically created when accessed for the first time

Returns:
str: the string ID of the new note
"""
s = requests.Session()
res = s.get(f"{CODIMD_URL}/new", allow_redirects=False)
if res.status_code != requests.codes.found:
raise RuntimeError(f"CodiMD service returned HTTP code {res.status_code} (expected {requests.codes.found}): {res.reason}")
location = res.headers["location"]
res = s.get(f"{CODIMD_URL}{location}")
if res.status_code != requests.codes.ok:
raise RuntimeError(f"CodiMD service returned HTTP code {res.status_code} (expected {requests.codes.ok}): {res.reason}")
return location
return f"/{uuid4()}"


def check_note_id(id: str) -> bool:
Expand Down
10 changes: 10 additions & 0 deletions ctfpad/templates/ctfpad/dashboard/dashboard.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,16 @@

{% include 'snippets/messages.html' %}

<script>
fetch("{{CODIMD_URL}}/login", {
method: 'POST',
mode: 'no-cors',
cache: 'no-cache',
credentials: 'include',
headers: { 'Content-Type': 'application/x-www-form-urlencoded'},
body: "email={{request.user}}%40localhost.localdomain&password=hedgedoc"});
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not use request.user.email ?

Copy link
Collaborator Author

@lanjelot lanjelot Nov 17, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because if I register lanjelot on ctfpad using hahanfiwhothisis@gmail.com and we use request.user.email instead of request.user then hedgedoc will use hahanfiwhothisis as the username and we'll have no idea that it is actually me (hedgedoc uses everything before @ as the username)

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also not a fan of static password: we have access to request.user object, that leaves room for crafting unique password per users.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah i just wanted to have a quick PoC working, feel free to use request.user.password or whatever instead. Also I didn't want to bother with what if the user resets or updates their password in ctfpad, then we need to update it in hedgedoc as well etc.

</script>

<div aria-live="polite" aria-atomic="true" style="position: relative; min-height: 200px;">
<div style="position: absolute; top: 0; right: 0;">
<div class="toast" role="alert" aria-live="assertive" aria-atomic="true">
Expand Down
2 changes: 2 additions & 0 deletions ctfpad/views/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
from ctfpad.forms import CreateUpdateCtfForm
from ctfpad.decorators import only_if_authenticated_user
from ctftools.settings import CODIMD_URL
from django.http.request import HttpRequest
from django.http.response import HttpResponse
from django.shortcuts import redirect, render
Expand Down Expand Up @@ -61,6 +62,7 @@ def dashboard(request: HttpRequest) -> HttpResponse:
"ctfs": ctfs,
"current_ctfs": current_ctfs,
"quick_add_form": quick_add_form,
"CODIMD_URL": CODIMD_URL,
}
return render(request, "ctfpad/dashboard/dashboard.html", context)

Expand Down
16 changes: 14 additions & 2 deletions ctfpad/views/users.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import datetime
import requests

from django.contrib import auth, messages
from django.contrib.auth.mixins import LoginRequiredMixin
Expand All @@ -21,7 +22,7 @@
from ctfpad.models import Challenge, ChallengeFile, Member, Team
from ctfpad.forms import CreateUserForm, UpdateMemberForm
from ctfpad.decorators import only_if_unauthenticated_user, only_if_authenticated_user

from ctftools.settings import CODIMD_URL

class CtfpadLogin(LoginView):
template_name = "users/login.html"
Expand Down Expand Up @@ -70,6 +71,17 @@ def form_valid(self, form):
messages.error(self.request, "Username already exists, try logging in instead")
return redirect("ctfpad:home")

# create the hedgedoc user
email = form.cleaned_data["username"] + '@localhost.localdomain'
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same remarks as above

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same reply as above ;)

res = requests.post(f'{CODIMD_URL}/register',
data={'email': email, 'password': 'hedgedoc'},
allow_redirects = False)

if res.status_code != requests.codes.found:
form.errors["name"] = "FailedToCreateHedgedocUser"
messages.error(self.request, "Failed to create Hedgedoc user")
return redirect("ctfpad:home")

# create the django user
user = User.objects.create_user(
username=form.cleaned_data["username"],
Expand Down Expand Up @@ -137,4 +149,4 @@ def get_context_data(self, **kwargs):
context.update(
{"solved_challenges": Challenge.objects.filter(solver = self.object.id).order_by("-solved_time")}
)
return context
return context
2 changes: 2 additions & 0 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ services:
environment:
- CMD_DB_URL=postgres://ctfpad:tookahlaiphee2KieTeeg5ooxutang4o@db:5432/ctfpad
- CMD_COOKIE_POLICY=none
- CMD_ALLOW_ANONYMOUS=false
- CMD_ALLOW_FREEURL=true
ports:
- "3000:3000"
networks:
Expand Down