diff --git a/app/controllers/api/teams.php b/app/controllers/api/teams.php index 308f19e45e..978429e51c 100644 --- a/app/controllers/api/teams.php +++ b/app/controllers/api/teams.php @@ -694,7 +694,7 @@ App::get('/v1/teams/:teamId/memberships') } // Set internal queries - $queries[] = Query::equal('teamId', [$teamId]); + $queries[] = Query::equal('teamInternalId', [$team->getInternalId()]); // Get cursor document if there was a cursor query $cursor = \array_filter($queries, function ($query) { @@ -894,16 +894,16 @@ App::patch('/v1/teams/:teamId/memberships/:membershipId/status') throw new Exception(Exception::MEMBERSHIP_NOT_FOUND); } - if ($membership->getAttribute('teamId') !== $teamId) { - throw new Exception(Exception::TEAM_MEMBERSHIP_MISMATCH); - } - $team = Authorization::skip(fn() => $dbForProject->getDocument('teams', $teamId)); if ($team->isEmpty()) { throw new Exception(Exception::TEAM_NOT_FOUND); } + if ($membership->getAttribute('teamInternalId') !== $team->getInternalId()) { + throw new Exception(Exception::TEAM_MEMBERSHIP_MISMATCH); + } + if (Auth::hash($secret) !== $membership->getAttribute('secret')) { throw new Exception(Exception::TEAM_INVALID_SECRET); } @@ -1020,10 +1020,6 @@ App::delete('/v1/teams/:teamId/memberships/:membershipId') throw new Exception(Exception::TEAM_INVITE_NOT_FOUND); } - if ($membership->getAttribute('teamId') !== $teamId) { - throw new Exception(Exception::TEAM_MEMBERSHIP_MISMATCH); - } - $user = $dbForProject->getDocument('users', $membership->getAttribute('userId')); if ($user->isEmpty()) { @@ -1036,6 +1032,10 @@ App::delete('/v1/teams/:teamId/memberships/:membershipId') throw new Exception(Exception::TEAM_NOT_FOUND); } + if ($membership->getAttribute('teamInternalId') !== $team->getInternalId()) { + throw new Exception(Exception::TEAM_MEMBERSHIP_MISMATCH); + } + $dbForProject->deleteDocument('memberships', $membership->getId()); $dbForProject->deleteCachedDocument('users', $user->getId());