No input validation in team eligibility allows adding internal flags like finalist

[spsquared]

The api endpoint /api/team/bc25java/t/me/ has very little input validation, allowing anyone to edit requests and set their eligibility flags to any of these values: 1, 2, 3, 4, 5, 6, 8, 9, 10.

Some of these are intentional, 1, 2, 3, 4, and 8 are accessible through the competitor UI, but 6 (previously finalists for 2024 and before), 5, 9, and 10 (not sure what those are, there are no teams with those flags in any year), are reserved. You can still set them, though.

STEPS TO REPRODUCE

This is pretty easy to exploit using Firefox's "edit and resend" feature

1. Edit your team eligibility checkboxes and click save
2. Open the developer tools and go to "Network," then find the "PATCH" request to /api/team/bc25java/t/me
   
3. Right click and click "edit and resend"
4. Change the "eligible_for" array to any combination of the above numbers
   
5. Send the request

You can see that it works by editing the filter in the URL of the rankings page:

https://play.battlecode.org/bc25java/rankings?page=1&search=&eligibleFor=6

The filter shows up as blank, and the teams are filtered correctly.

You can add yourself to the finalists list using this method (flag 9):

https://play.battlecode.org/bc25java/rankings?page=2&search=&eligibleFor=9

The Realer Merlin, Pantheon, and SPAARK didn't compete in the finals but added themselves to the list through this method.

One concern is that teams could add themselves to the finalists list, which probably would be caught, but may still mess with the bracket. (I don't know if the brackets are automated, but it would cause issues)