fix: permission mistake in team

ElaBosak233 · ElaBosak233 · commit b90337209ae4 · 2025-03-04T15:54:57.000+08:00
diff --git a/crates/db/src/util/mod.rs b/crates/db/src/util/mod.rs
@@ -7,10 +7,6 @@ use crate::{entity::team::State, get_db};
 
 pub async fn is_user_in_team(user_id: i64, team_id: i64) -> Result<bool, DbErr> {
     Ok(crate::entity::team_user::Entity::find()
-        .join(
-            JoinType::InnerJoin,
-            crate::entity::team_user::Relation::Team.def().rev(),
-        )
         .filter(crate::entity::team_user::Column::UserId.eq(user_id))
         .filter(crate::entity::team_user::Column::TeamId.eq(team_id))
         .count(get_db())
diff --git a/crates/web/src/router/api/game/game_id/team/team_id/mod.rs b/crates/web/src/router/api/game/game_id/team/team_id/mod.rs
@@ -82,7 +82,7 @@ pub async fn delete_team(
     Extension(ext): Extension<Ext>, Path((_game_id, team_id)): Path<(i64, i64)>,
 ) -> Result<WebResponse<()>, WebError> {
     let operator = ext.operator.ok_or(WebError::Unauthorized(json!("")))?;
-    if operator.group != Group::Admin {
+    if operator.group != Group::Admin && !cds_db::util::is_user_in_team(operator.id, team_id).await? {
         return Err(WebError::Forbidden(json!("")));
     }
 
diff --git a/crates/web/src/router/api/game/game_id/team/team_id/token/mod.rs b/crates/web/src/router/api/game/game_id/team/team_id/token/mod.rs
@@ -31,7 +31,7 @@ pub async fn create_token(
             .ok_or(WebError::BadRequest(json!("team_not_found")))?,
     );
 
-    if operator.group != Group::Admin && cds_db::util::is_user_in_team(operator.id, team.id).await?
+    if operator.group != Group::Admin && !cds_db::util::is_user_in_team(operator.id, team.id).await?
     {
         return Err(WebError::Forbidden(json!("")));
     }
@@ -61,7 +61,7 @@ pub async fn get_token(
             .ok_or(WebError::BadRequest(json!("team_not_found")))?,
     );
 
-    if operator.group != Group::Admin && cds_db::util::is_user_in_team(operator.id, team.id).await?
+    if operator.group != Group::Admin && !cds_db::util::is_user_in_team(operator.id, team.id).await?
     {
         return Err(WebError::Forbidden(json!("")));
     }
@@ -89,7 +89,7 @@ pub async fn delete_token(
             .ok_or(WebError::BadRequest(json!("team_not_found")))?,
     );
 
-    if operator.group != Group::Admin && cds_db::util::is_user_in_team(operator.id, team.id).await?
+    if operator.group != Group::Admin && !cds_db::util::is_user_in_team(operator.id, team.id).await?
     {
         return Err(WebError::Forbidden(json!("")));
     }

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ pub async fn delete_team(`
`82`	`82`	`Extension(ext): Extension<Ext>, Path((_game_id, team_id)): Path<(i64, i64)>,`
`83`	`83`	`) -> Result<WebResponse<()>, WebError> {`
`84`	`84`	`let operator = ext.operator.ok_or(WebError::Unauthorized(json!("")))?;`
`85`		`- if operator.group != Group::Admin {`
	`85`	`+ if operator.group != Group::Admin && !cds_db::util::is_user_in_team(operator.id, team_id).await? {`
`86`	`86`	`return Err(WebError::Forbidden(json!("")));`
`87`	`87`	`}`
`88`	`88`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ pub async fn create_token(`
`31`	`31`	`.ok_or(WebError::BadRequest(json!("team_not_found")))?,`
`32`	`32`	`);`
`33`	`33`
`34`		`- if operator.group != Group::Admin && cds_db::util::is_user_in_team(operator.id, team.id).await?`
	`34`	`+ if operator.group != Group::Admin && !cds_db::util::is_user_in_team(operator.id, team.id).await?`
`35`	`35`	`{`
`36`	`36`	`return Err(WebError::Forbidden(json!("")));`
`37`	`37`	`}`
`@@ -61,7 +61,7 @@ pub async fn get_token(`
`61`	`61`	`.ok_or(WebError::BadRequest(json!("team_not_found")))?,`
`62`	`62`	`);`
`63`	`63`
`64`		`- if operator.group != Group::Admin && cds_db::util::is_user_in_team(operator.id, team.id).await?`
	`64`	`+ if operator.group != Group::Admin && !cds_db::util::is_user_in_team(operator.id, team.id).await?`
`65`	`65`	`{`
`66`	`66`	`return Err(WebError::Forbidden(json!("")));`
`67`	`67`	`}`
`@@ -89,7 +89,7 @@ pub async fn delete_token(`
`89`	`89`	`.ok_or(WebError::BadRequest(json!("team_not_found")))?,`
`90`	`90`	`);`
`91`	`91`
`92`		`- if operator.group != Group::Admin && cds_db::util::is_user_in_team(operator.id, team.id).await?`
	`92`	`+ if operator.group != Group::Admin && !cds_db::util::is_user_in_team(operator.id, team.id).await?`
`93`	`93`	`{`
`94`	`94`	`return Err(WebError::Forbidden(json!("")));`
`95`	`95`	`}`