permit team managers to see the team

2025-12-21 08:26:16 +01:00
parent b2b6f4af14
commit a654b12c64
1 changed files with 24 additions and 4 deletions
--- a/cutt/player.py
+++ b/cutt/player.py
@@ -185,6 +185,8 @@ async def list_players(
            )
        ] + demo_players

+    allowed_scopes = set(user.scopes.split())
+
    with Session(engine) as session:
        current_user = session.exec(
            select(P)
@@ -192,7 +194,7 @@ async def list_players(
            .join(Team)
            .where(Team.id == team_id, P.disabled == False, P.id == user.id)
        ).one_or_none()
-        if not current_user:
+        if not current_user and f"team:{team_id}" not in allowed_scopes:
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
                detail="you're not in this team",
@@ -223,10 +225,28 @@ async def list_players(


 def read_teams_me(user: Annotated[P, Depends(get_current_active_user)]):
+    allowed_scopes = set(user.scopes.split())
+    team_ids = {
+        int(scope.split(":")[1])
+        for scope in allowed_scopes
+        if scope.startswith("team:")
+    }
    with Session(engine) as session:
-        return [p.teams for p in session.exec(select(P).where(P.id == user.id))][0] + [
-            {"country": "nowhere", "id": 42, "location": "everywhere", "name": "DEMO"}
+        member_in = [p.teams for p in session.exec(select(P).where(P.id == user.id))][0]
+        team_ids -= {team.id for team in member_in}
+        team_manager_in = session.exec(select(Team).where(Team.id.in_(team_ids))).all()
+        return (
+            member_in
+            + list(team_manager_in)
+            + [
+                {
+                    "country": "nowhere",
+                    "id": 42,
+                    "location": "everywhere",
+                    "name": "DEMO",
+                }
            ]
+        )


 player_router.add_api_route(