diff --git a/server.js b/server.js index 584f3b5..9d26372 100644 --- a/server.js +++ b/server.js @@ -202,7 +202,7 @@ apiRouter.get('/state', async (req, res) => { state.isStarted = state.config.isStarted === 'true'; db.all("SELECT id, name, isAdmin, isDisabled FROM teams", (err, teams) => { if (err) return res.status(500).json({ error: 'Failed to fetch teams' }); - state.teams = teams || []; + state.teams = teamId ? (teams || []) : []; db.all("SELECT * FROM challenges", (err, challenges) => { if (err) return res.status(500).json({ error: 'Failed to fetch challenges' }); db.all("SELECT * FROM solves", (err, solves) => { @@ -211,18 +211,22 @@ apiRouter.get('/state', async (req, res) => { if (err) return res.status(500).json({ error: 'Failed to fetch blogs' }); state.solves = solves || []; state.blogs = blogs || []; - state.challenges = (challenges || []).map(c => { - const enriched = { - ...c, - files: JSON.parse(c.files || '[]'), - solves: state.solves.filter(s => s.challengeId === c.id).map(s => s.teamId) - }; - // CRITICAL SECURITY FIX: Hide flag if not admin - if (!isAdmin) { - delete enriched.flag; - } - return enriched; - }); + if (!teamId || (!isAdmin && !state.isStarted)) { + state.challenges = []; + } else { + state.challenges = (challenges || []).map(c => { + const enriched = { + ...c, + files: JSON.parse(c.files || '[]'), + solves: state.solves.filter(s => s.challengeId === c.id).map(s => s.teamId) + }; + // CRITICAL SECURITY FIX: Hide flag if not admin + if (!isAdmin) { + delete enriched.flag; + } + return enriched; + }); + } res.json(state); }); });