feat: disallow non-members to list team members

2025-03-25 16:38:44 +01:00 · 2025-03-25 16:38:44 +01:00 · 81d6a02229
commit 81d6a02229
parent 11f3f9f440
1 changed files with 15 additions and 2 deletions
--- a/cutt/player.py
+++ b/cutt/player.py
@ -145,8 +145,22 @@ async def list_all_players():
        return session.exec(select(P)).all()


-async def list_players(team_id: int):
+async def list_players(
+    team_id: int, user: Annotated[Player, Depends(get_current_active_user)]
+):
    with Session(engine) as session:
+        current_user = session.exec(
+            select(P)
+            .join(PlayerTeamLink)
+            .join(Team)
+            .where(Team.id == team_id, P.disabled == False, P.id == user.id)
+        ).one_or_none()
+        if not current_user:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="you're not in this team",
+            )
+
        players = session.exec(
            select(P)
            .join(PlayerTeamLink)
@ -187,7 +201,6 @@ player_router.add_api_route(
    "/{team_id}/list",
    endpoint=list_players,
    methods=["GET"],
-    dependencies=[Depends(get_current_active_user)],
 )
 player_router.add_api_route(
    "/list",