diff --git a/app/controllers/api/teams.php b/app/controllers/api/teams.php index 5d13fcfa6..d870f49af 100644 --- a/app/controllers/api/teams.php +++ b/app/controllers/api/teams.php @@ -718,7 +718,7 @@ App::get('/v1/teams/:teamId/memberships') } // Set internal queries - $queries[] = Query::equal('teamId', [$teamId]); + $queries[] = Query::equal('teamInternalId', [$team->getInternalId()]); /** * Get cursor document if there was a cursor query, we use array_filter and reset for reference $cursor to $queries @@ -947,16 +947,16 @@ App::patch('/v1/teams/:teamId/memberships/:membershipId/status') throw new Exception(Exception::MEMBERSHIP_NOT_FOUND); } - if ($membership->getAttribute('teamId') !== $teamId) { - throw new Exception(Exception::TEAM_MEMBERSHIP_MISMATCH); - } - $team = Authorization::skip(fn () => $dbForProject->getDocument('teams', $teamId)); if ($team->isEmpty()) { throw new Exception(Exception::TEAM_NOT_FOUND); } + if ($membership->getAttribute('teamInternalId') !== $team->getInternalId()) { + throw new Exception(Exception::TEAM_MEMBERSHIP_MISMATCH); + } + if (Auth::hash($secret) !== $membership->getAttribute('secret')) { throw new Exception(Exception::TEAM_INVALID_SECRET); } @@ -1075,10 +1075,6 @@ App::delete('/v1/teams/:teamId/memberships/:membershipId') throw new Exception(Exception::TEAM_INVITE_NOT_FOUND); } - if ($membership->getAttribute('teamId') !== $teamId) { - throw new Exception(Exception::TEAM_MEMBERSHIP_MISMATCH); - } - $user = $dbForProject->getDocument('users', $membership->getAttribute('userId')); if ($user->isEmpty()) { @@ -1091,6 +1087,10 @@ App::delete('/v1/teams/:teamId/memberships/:membershipId') throw new Exception(Exception::TEAM_NOT_FOUND); } + if ($membership->getAttribute('teamInternalId') !== $team->getInternalId()) { + throw new Exception(Exception::TEAM_MEMBERSHIP_MISMATCH); + } + try { $dbForProject->deleteDocument('memberships', $membership->getId()); } catch (AuthorizationException $exception) {