CTFd is a Python-based open-source Capture The Flag (CTF) web app. I wanted to use it in a context where I didn't want to collect email addresses of the registering users. To archive this, I decided to take the easy way and hack myself around the problem: just hide the email-field in the registration form and generate a random address for every registration.
The following patch was applied to commit
4c31dc23 but should be easily translatable to future versions of CTFd.
diff --git a/CTFd/auth.py b/CTFd/auth.py
index 2f801f0..944f61e 100644
--- a/CTFd/auth.py
+++ b/CTFd/auth.py
@@ -1,6 +1,8 @@
import base64
import requests
+import random
+import string
from flask import Blueprint
from flask import current_app as app
from flask import redirect, render_template, request, session, url_for
@@ -187,7 +189,7 @@ def register():
errors = get_errors()
if request.method == "POST":
name = request.form.get("name", "").strip()
- email_address = request.form.get("email", "").strip().lower()
+ email_address = ''.join(random.choice(string.ascii_lowercase) for i in range(20)) + '@example.com'
password = request.form.get("password", "").strip()
website = request.form.get("website")
diff --git a/CTFd/themes/core/templates/register.html b/CTFd/themes/core/templates/register.html
index ecc5bb4..55e5bc1 100644
--- a/CTFd/themes/core/templates/register.html
+++ b/CTFd/themes/core/templates/register.html
@@ -32,9 +32,9 @@
Your username on the site
</small>
</div>
- <div class="form-group">
+ <div class="form-group" style="display: none;">
<b>{{ form.email.label }}</b>
- {{ form.email(class="form-control", value=email) }}
+ {{ form.email(class="form-control", value='test@example.com') }}
<small class="form-text text-muted">
Never shown to the public
</small>