ctfd-category-submit-plugin/__init__.py

import time
from flask import Blueprint, request, jsonify, render_template
from CTFd.models import db, Challenges, Flags, Solves, Submissions
from CTFd.utils.user import get_current_user, get_current_team
from CTFd.utils.decorators import authed_only, admins_only, during_ctf_time_only
from CTFd.utils.decorators.visibility import check_challenge_visibility
from CTFd.plugins.flags import get_flag_class
from CTFd.plugins.challenges import get_chal_class
from CTFd.utils import get_config, set_config
from CTFd.cache import clear_challenges, clear_standings

def load(app):
    plugin_bp = Blueprint('category_submission', __name__, 
                          template_folder='templates', static_folder='assets')

    @plugin_bp.route('/admin/category_submission', methods=['GET', 'POST'])
    @admins_only
    def admin_settings():
        if request.method == 'POST':
            set_config('cat_sub_categories', request.form.get('categories'))
            set_config('cat_sub_cooldown', request.form.get('cooldown'))
            return render_template('category_submit_settings.html', success=True, 
                                   categories=request.form.get('categories'), 
                                   cooldown=request.form.get('cooldown'))
        return render_template('category_submit_settings.html', 
            categories=get_config('cat_sub_categories') or "",
            cooldown=get_config('cat_sub_cooldown') or "3"
        )

    @plugin_bp.route('/category_submit/config', methods=['GET'])
    @check_challenge_visibility
    @during_ctf_time_only
    def get_plugin_config():
        return jsonify({
            'categories': [c.strip() for c in (get_config('cat_sub_categories') or "").split(',') if c.strip()],
            'cooldown': int(get_config('cat_sub_cooldown') or 3)
        })

    @plugin_bp.route('/category_submit', methods=['POST'])
    @authed_only
    @check_challenge_visibility
    @during_ctf_time_only
    def category_submit():
        user = get_current_user()
        team = get_current_team()
        category = request.form.get('category')
        provided = request.form.get('submission', '').strip()
        
        enabled_cats = [c.strip() for c in (get_config('cat_sub_categories') or "").split(',') if c.strip()]
        cooldown = int(get_config('cat_sub_cooldown') or 3)

        if category not in enabled_cats:
            return jsonify({'success': False, 'message': 'Invalid category'})

        # 1. Rate Limiting
        last_sub = Submissions.query.filter_by(user_id=user.id).order_by(Submissions.date.desc()).first()
        if last_sub and (time.time() - last_sub.date.timestamp() < cooldown):
            return jsonify({'success': False, 'message': f'Wait {cooldown}s'})

        # 2. Search unsolved challenges in this category
        solve_filter = (Solves.team_id == team.id) if team else (Solves.user_id == user.id)
        challenges = Challenges.query.filter(
            Challenges.category == category,
            Challenges.state == 'visible',
            ~Challenges.id.in_(db.session.query(Solves.challenge_id).filter(solve_filter))
        ).all()

        for chall in challenges:
            flags = Flags.query.filter_by(challenge_id=chall.id).all()
            for flag in flags:
                try:
                    # Perform comparison in-memory to avoid cluttering logs with incorrects
                    if get_flag_class(flag.type).compare(flag, provided):
                        # 3. Match Found: Log the correct submission
                        sub = Submissions(
                            user_id=user.id, team_id=team.id if team else None,
                            challenge_id=chall.id, ip=request.remote_addr, provided=provided, type='correct'
                        )
                        db.session.add(sub)
                        
                        # 4. Native Solve Logic (Handles points and Solves table)
                        chal_class = get_chal_class(chall.type)
                        chal_class.solve(user=user, team=team, challenge=chall, request=request)
                        
                        # 5. Clear Caches so UI reflects changes immediately
                        clear_challenges()
                        clear_standings()
                        
                        db.session.commit()
                        return jsonify({
                            'success': True, 
                            'message': f'Correct: {chall.name}', 
                            'challenge_id': chall.id 
                        })
                except Exception: continue

        # 6. No Match: Log exactly one incorrect attempt globally
        if (len(challenges) > 0):
            db.session.add(Submissions(
                user_id=user.id, team_id=team.id if team else None,
                challenge_id=challenges[0].id, ip=request.remote_addr, provided=provided, type='incorrect'
            ))
            db.session.commit()
        return jsonify({'success': False, 'message': 'Incorrect Flag'})

    app.register_blueprint(plugin_bp)
    from CTFd.utils.plugins import register_script
    register_script('/assets/category_submit.js')