Fix team membership delete

2024-09-28 07:21:35 +12:00 · 2022-08-15 18:04:00 +12:00 · 2022-08-15 18:04:00 +12:00 · 66f518b531
commit 66f518b531
parent 86f209800a
1 changed files with 8 additions and 0 deletions
--- a/app/controllers/api/teams.php
+++ b/app/controllers/api/teams.php
@ -831,6 +831,14 @@ App::delete('/v1/teams/:teamId/memberships/:membershipId')
            throw new Exception('Team not found', 404, Exception::TEAM_NOT_FOUND);
        }

+        /**
+         * Force document security
+         */
+        $validator = new Authorization('delete');
+        if (!$validator->isValid($membership->getDelete())) {
+            throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED);
+        }
+
        try {
            $dbForProject->deleteDocument('memberships', $membership->getId());
        } catch (AuthorizationException $exception) {