permit team managers to see the team

cutt/player.py

@@ -185,6 +185,8 @@ async def list_players(
             )
         ] + demo_players
 
+    allowed_scopes = set(user.scopes.split())
+
     with Session(engine) as session:
         current_user = session.exec(
             select(P)
@@ -192,7 +194,7 @@ async def list_players(
             .join(Team)
             .where(Team.id == team_id, P.disabled == False, P.id == user.id)
         ).one_or_none()
-        if not current_user:
+        if not current_user and f"team:{team_id}" not in allowed_scopes:
             raise HTTPException(
                 status_code=status.HTTP_400_BAD_REQUEST,
                 detail="you're not in this team",
@@ -223,10 +225,28 @@ async def list_players(
 
 
 def read_teams_me(user: Annotated[P, Depends(get_current_active_user)]):
+    allowed_scopes = set(user.scopes.split())
+    team_ids = {
+        int(scope.split(":")[1])
+        for scope in allowed_scopes
+        if scope.startswith("team:")
+    }
     with Session(engine) as session:
-        return [p.teams for p in session.exec(select(P).where(P.id == user.id))][0] + [
+        member_in = [p.teams for p in session.exec(select(P).where(P.id == user.id))][0]
-            {"country": "nowhere", "id": 42, "location": "everywhere", "name": "DEMO"}
+        team_ids -= {team.id for team in member_in}
+        team_manager_in = session.exec(select(Team).where(Team.id.in_(team_ids))).all()
+        return (
+            member_in
+            + list(team_manager_in)
+            + [
+                {
+                    "country": "nowhere",
+                    "id": 42,
+                    "location": "everywhere",
+                    "name": "DEMO",
+                }
             ]
+        )
 
 
 player_router.add_api_route(