From db14e03f0e4dca6b960304f878978f93dde4af4e Mon Sep 17 00:00:00 2001
From: Matthew Grove <me@mgrove.uk>
Date: Mon, 5 Jan 2026 22:36:31 +0000
Subject: [PATCH] UI improvements and more robust flag checks & submission

---
 __init__.py               | 32 ++++++++++++++-------------
 assets/category_submit.js | 46 ++++++++++++++++++++++-----------------
 2 files changed, 43 insertions(+), 35 deletions(-)

diff --git a/__init__.py b/__init__.py
index 96b6b3c..f6238bf 100644
--- a/__init__.py
+++ b/__init__.py
@@ -5,6 +5,7 @@ from CTFd.utils.user import get_current_user, get_current_team
 from CTFd.utils.decorators import authed_only, admins_only, during_ctf_time_only
 from CTFd.utils.decorators.visibility import check_challenge_visibility
 from CTFd.plugins.flags import get_flag_class
+from CTFd.plugins.challenges import get_chal_class
 from CTFd.utils import get_config, set_config
 
 def load(app):
@@ -20,14 +21,13 @@ def load(app):
             return render_template('category_submit_settings.html', success=True, 
                                    categories=request.form.get('categories'), 
                                    cooldown=request.form.get('cooldown'))
-        
         return render_template('category_submit_settings.html', 
             categories=get_config('cat_sub_categories') or "",
             cooldown=get_config('cat_sub_cooldown') or "3"
         )
 
     @plugin_bp.route('/category_submit/config', methods=['GET'])
-    @check_challenge_visibility  # Matches challenge page visibility settings
+    @check_challenge_visibility
     @during_ctf_time_only
     def get_plugin_config():
         return jsonify({
@@ -43,7 +43,7 @@ def load(app):
         user = get_current_user()
         team = get_current_team()
         category = request.form.get('category')
-        provided_flag = request.form.get('submission', '').strip()
+        provided = request.form.get('submission', '').strip()
         
         enabled_cats = [c.strip() for c in (get_config('cat_sub_categories') or "").split(',') if c.strip()]
         cooldown = int(get_config('cat_sub_cooldown') or 3)
@@ -56,7 +56,7 @@ def load(app):
         if last_sub and (time.time() - last_sub.date.timestamp() < cooldown):
             return jsonify({'success': False, 'message': f'Wait {cooldown}s'})
 
-        # Find unsolved challenges
+        # Search unsolved challenges in this category
         solve_filter = (Solves.team_id == team.id) if team else (Solves.user_id == user.id)
         challenges = Challenges.query.filter(
             Challenges.category == category,
@@ -65,26 +65,28 @@ def load(app):
         ).all()
 
         for chall in challenges:
-            for flag in Flags.query.filter_by(challenge_id=chall.id).all():
+            # 1. Manual check (no DB write)
+            flags = Flags.query.filter_by(challenge_id=chall.id).all()
+            for flag in flags:
                 try:
-                    if get_flag_class(flag.type).compare(flag, provided_flag):
-                        # USE NATIVE CTFd SOLVE LOGIC
-                        # This handles Solves, Submissions, and Scoreboard updates correctly.
+                    if get_flag_class(flag.type).compare(flag, provided):
+                        # 2. Match found! Now use built-in CTFd methods.
                         chal_class = get_chal_class(chall.type)
+                        
+                        # attempt() creates the 'correct' Submission record
+                        chal_class.attempt(chall, request)
+                        
+                        # solve() creates the Solve record and awards points
                         chal_class.solve(user=user, team=team, challenge=chall, request=request)
                         
                         db.session.commit()
-                        return jsonify({
-                            'success': True, 
-                            'message': f'Correct! You solved: {chall.name}',
-                            'challenge_id': chall.id  # Pass this back to help the JS
-                        })
+                        return jsonify({'success': True, 'message': f'Correct! Solved: {chall.name}'})
                 except Exception: continue
 
-        # Log incorrect submission natively
+        # 3. No match: Log ONE incorrect attempt globally
         db.session.add(Submissions(
             user_id=user.id, team_id=team.id if team else None,
-            challenge_id=None, ip=request.remote_addr, provided=provided_flag, type='incorrect'
+            challenge_id=None, ip=request.remote_addr, provided=provided, type='incorrect'
         ))
         db.session.commit()
         return jsonify({'success': False, 'message': 'Incorrect Flag'})
diff --git a/assets/category_submit.js b/assets/category_submit.js
index c30c1bd..b877457 100644
--- a/assets/category_submit.js
+++ b/assets/category_submit.js
@@ -5,21 +5,21 @@
         const enabledCategories = config.categories || [];
         document.querySelectorAll('.category-header').forEach(header => {
             const catName = header.textContent.trim();
-            if (enabledCategories.includes(catName) && !header.nextElementSibling.classList.contains('cat-sub-row')) {
+            
+            // Check if already injected to prevent duplicates
+            if (enabledCategories.includes(catName) && !header.nextElementSibling?.classList.contains('cat-sub-row')) {
                 const row = document.createElement('div');
                 row.className = "cat-sub-row row mb-4 justify-content-center"; 
                 row.innerHTML = `
                     <div class="col-md-10">
-                        <div class="form-row">
-                            <div class="col-9">
-                                <input type="text" 
-                                       class="form-control form-control-lg bg-dark text-light border-secondary" 
-                                       placeholder="Submit a flag for ${catName}..." 
-                                       id="in-${catName.replace(/\s+/g, '-')}" 
-                                       autocomplete="off">
-                            </div>
-                            <div class="col-3">
-                                <button class="btn btn-success btn-lg btn-block" data-cat="${catName}">Submit</button>
+                        <div class="input-group input-group-lg">
+                            <input type="text" 
+                                   class="form-control bg-dark text-light border-secondary" 
+                                   placeholder="Submit ${catName} flag..." 
+                                   id="in-${catName.replace(/\s+/g, '-')}" 
+                                   autocomplete="off">
+                            <div class="input-group-append">
+                                <button class="btn btn-success px-4" type="button">Submit</button>
                             </div>
                         </div>
                         <div class="status-msg mt-2" style="min-height: 24px; font-weight: bold;"></div>
@@ -27,13 +27,13 @@
                 `;
                 header.after(row);
 
-                row.querySelector('button').onclick = function() {
-                    const btn = this;
-                    const container = row.querySelector('.col-md-10');
-                    const input = container.querySelector('input');
-                    const msg = container.querySelector('.status-msg');
+                const input = row.querySelector('input');
+                const btn = row.querySelector('button');
+                const msg = row.querySelector('.status-msg');
+
+                const submitFlag = () => {
                     const val = input.value.trim();
-                    if (!val) return;
+                    if (!val || btn.disabled) return;
 
                     btn.disabled = true;
                     msg.innerHTML = '<span class="text-info">Checking...</span>';
@@ -50,14 +50,20 @@
                         if (data.success) {
                             msg.innerHTML = `<span class="text-success">✔ ${data.message}</span>`;
                             input.value = '';
-                            // Delay reload slightly so the user sees the success message
-                            setTimeout(() => { window.location.reload(); }, 1200);
+                            setTimeout(() => { window.location.reload(); }, 1000);
                         } else {
                             msg.innerHTML = `<span class="text-danger">✘ ${data.message}</span>`;
                             btn.disabled = false;
                         }
+                    })
+                    .catch(() => {
+                        msg.innerHTML = '<span class="text-danger">Submission error</span>';
+                        btn.disabled = false;
                     });
                 };
+
+                btn.onclick = submitFlag;
+                input.onkeypress = (e) => { if (e.key === 'Enter') submitFlag(); };
             }
         });
     }
@@ -71,4 +77,4 @@
         });
         observer.observe(document.body, { childList: true, subtree: true });
     });
-})();
\ No newline at end of file
+})();