feat: disallow non-members to list team members

cutt/player.py

@@ -145,8 +145,22 @@ async def list_all_players():
         return session.exec(select(P)).all()
 
 
-async def list_players(team_id: int):
+async def list_players(
+    team_id: int, user: Annotated[Player, Depends(get_current_active_user)]
+):
     with Session(engine) as session:
+        current_user = session.exec(
+            select(P)
+            .join(PlayerTeamLink)
+            .join(Team)
+            .where(Team.id == team_id, P.disabled == False, P.id == user.id)
+        ).one_or_none()
+        if not current_user:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="you're not in this team",
+            )
+
         players = session.exec(
             select(P)
             .join(PlayerTeamLink)
@@ -187,7 +201,6 @@ player_router.add_api_route(
     "/{team_id}/list",
     endpoint=list_players,
     methods=["GET"],
-    dependencies=[Depends(get_current_active_user)],
 )
 player_router.add_api_route(
     "/list",