From a654b12c64231d3e0519ccfb37b45beb0669981b Mon Sep 17 00:00:00 2001 From: julius Date: Sun, 21 Dec 2025 08:26:16 +0100 Subject: [PATCH] permit team managers to see the team --- cutt/player.py | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/cutt/player.py b/cutt/player.py index 616ffd5..9d3ef5d 100644 --- a/cutt/player.py +++ b/cutt/player.py @@ -185,6 +185,8 @@ async def list_players( ) ] + demo_players + allowed_scopes = set(user.scopes.split()) + with Session(engine) as session: current_user = session.exec( select(P) @@ -192,7 +194,7 @@ async def list_players( .join(Team) .where(Team.id == team_id, P.disabled == False, P.id == user.id) ).one_or_none() - if not current_user: + if not current_user and f"team:{team_id}" not in allowed_scopes: raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, detail="you're not in this team", @@ -223,10 +225,28 @@ async def list_players( def read_teams_me(user: Annotated[P, Depends(get_current_active_user)]): + allowed_scopes = set(user.scopes.split()) + team_ids = { + int(scope.split(":")[1]) + for scope in allowed_scopes + if scope.startswith("team:") + } with Session(engine) as session: - return [p.teams for p in session.exec(select(P).where(P.id == user.id))][0] + [ - {"country": "nowhere", "id": 42, "location": "everywhere", "name": "DEMO"} - ] + member_in = [p.teams for p in session.exec(select(P).where(P.id == user.id))][0] + team_ids -= {team.id for team in member_in} + team_manager_in = session.exec(select(Team).where(Team.id.in_(team_ids))).all() + return ( + member_in + + list(team_manager_in) + + [ + { + "country": "nowhere", + "id": 42, + "location": "everywhere", + "name": "DEMO", + } + ] + ) player_router.add_api_route(