From 81d6a022292019ba04754e49bf619154b42e7c98 Mon Sep 17 00:00:00 2001
From: julius <julius@0124816.xyz>
Date: Tue, 25 Mar 2025 16:38:44 +0100
Subject: [PATCH] feat: disallow non-members to list team members

---
 cutt/player.py | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/cutt/player.py b/cutt/player.py
index 2c7973e..9deb00a 100644
--- a/cutt/player.py
+++ b/cutt/player.py
@@ -145,8 +145,22 @@ async def list_all_players():
         return session.exec(select(P)).all()
 
 
-async def list_players(team_id: int):
+async def list_players(
+    team_id: int, user: Annotated[Player, Depends(get_current_active_user)]
+):
     with Session(engine) as session:
+        current_user = session.exec(
+            select(P)
+            .join(PlayerTeamLink)
+            .join(Team)
+            .where(Team.id == team_id, P.disabled == False, P.id == user.id)
+        ).one_or_none()
+        if not current_user:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="you're not in this team",
+            )
+
         players = session.exec(
             select(P)
             .join(PlayerTeamLink)
@@ -187,7 +201,6 @@ player_router.add_api_route(
     "/{team_id}/list",
     endpoint=list_players,
     methods=["GET"],
-    dependencies=[Depends(get_current_active_user)],
 )
 player_router.add_api_route(
     "/list",