From 21d33eaceb0463e98b0a026409897b72dd1690ad Mon Sep 17 00:00:00 2001
From: Damodar Lohani <lohanidamodar@users.noreply.github.com>
Date: Sun, 17 Mar 2024 15:08:43 +0545
Subject: [PATCH 1/2] Use team internal ID for checks and queries for
 membership

---
 app/controllers/api/teams.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/app/controllers/api/teams.php b/app/controllers/api/teams.php
index 5d13fcfa6..4ece69312 100644
--- a/app/controllers/api/teams.php
+++ b/app/controllers/api/teams.php
@@ -718,7 +718,7 @@ App::get('/v1/teams/:teamId/memberships')
         }
 
         // Set internal queries
-        $queries[] = Query::equal('teamId', [$teamId]);
+        $queries[] = Query::equal('teamInternalId', [$team->getInternalId()]);
 
         /**
          * Get cursor document if there was a cursor query, we use array_filter and reset for reference $cursor to $queries
@@ -947,16 +947,16 @@ App::patch('/v1/teams/:teamId/memberships/:membershipId/status')
             throw new Exception(Exception::MEMBERSHIP_NOT_FOUND);
         }
 
-        if ($membership->getAttribute('teamId') !== $teamId) {
-            throw new Exception(Exception::TEAM_MEMBERSHIP_MISMATCH);
-        }
-
         $team = Authorization::skip(fn () => $dbForProject->getDocument('teams', $teamId));
 
         if ($team->isEmpty()) {
             throw new Exception(Exception::TEAM_NOT_FOUND);
         }
 
+        if ($membership->getAttribute('teamInternalId') !== $team->getInternalId()) {
+            throw new Exception(Exception::TEAM_MEMBERSHIP_MISMATCH);
+        }
+
         if (Auth::hash($secret) !== $membership->getAttribute('secret')) {
             throw new Exception(Exception::TEAM_INVALID_SECRET);
         }
@@ -1075,10 +1075,6 @@ App::delete('/v1/teams/:teamId/memberships/:membershipId')
             throw new Exception(Exception::TEAM_INVITE_NOT_FOUND);
         }
 
-        if ($membership->getAttribute('teamId') !== $teamId) {
-            throw new Exception(Exception::TEAM_MEMBERSHIP_MISMATCH);
-        }
-
         $user = $dbForProject->getDocument('users', $membership->getAttribute('userId'));
 
         if ($user->isEmpty()) {
@@ -1090,6 +1086,10 @@ App::delete('/v1/teams/:teamId/memberships/:membershipId')
         if ($team->isEmpty()) {
             throw new Exception(Exception::TEAM_NOT_FOUND);
         }
+        
+        if ($membership->getAttribute('teamInternalId') !== $team->getInternalId()) {
+            throw new Exception(Exception::TEAM_MEMBERSHIP_MISMATCH);
+        }
 
         try {
             $dbForProject->deleteDocument('memberships', $membership->getId());

From d4bc65260f4f25aac5cd5d32e22bb350b04fb3ad Mon Sep 17 00:00:00 2001
From: Damodar Lohani <dlohani48@gmail.com>
Date: Sun, 17 Mar 2024 09:39:21 +0000
Subject: [PATCH 2/2] fix linter issues

---
 app/controllers/api/teams.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/api/teams.php b/app/controllers/api/teams.php
index 4ece69312..d870f49af 100644
--- a/app/controllers/api/teams.php
+++ b/app/controllers/api/teams.php
@@ -1086,7 +1086,7 @@ App::delete('/v1/teams/:teamId/memberships/:membershipId')
         if ($team->isEmpty()) {
             throw new Exception(Exception::TEAM_NOT_FOUND);
         }
-        
+
         if ($membership->getAttribute('teamInternalId') !== $team->getInternalId()) {
             throw new Exception(Exception::TEAM_MEMBERSHIP_MISMATCH);
         }