Merge pull request #8969 from appwrite/fix-memberships-privacy-mfa

fix: memberships privacy mfa
2026-05-23 08:58:35 +00:00 · 2024-11-13 12:36:57 +01:00 · 2024-11-13 12:36:57 +01:00 · 7f06b0ec76
commit 7f06b0ec76
parent 97bcccba85 ca533f40c9
2 changed files with 40 additions and 3 deletions
--- a/app/controllers/api/teams.php
+++ b/app/controllers/api/teams.php
@ -805,8 +805,11 @@ App::get('/v1/teams/:teamId/memberships')
        }, $membershipsPrivacy);

        $memberships = array_map(function ($membership) use ($dbForProject, $team, $membershipsPrivacy) {
+            $user = !empty(array_filter($membershipsPrivacy))
+                ? $dbForProject->getDocument('users', $membership->getAttribute('userId'))
+                : new Document();
+
            if ($membershipsPrivacy['mfa']) {
-                $user = $dbForProject->getDocument('users', $membership->getAttribute('userId'));
                $mfa = $user->getAttribute('mfa', false);

                if ($mfa) {
@ -888,9 +891,11 @@ App::get('/v1/teams/:teamId/memberships/:membershipId')
            return $privacy || $isPrivilegedUser || $isAppUser;
        }, $membershipsPrivacy);

-        if ($membershipsPrivacy['mfa']) {
-            $user = $dbForProject->getDocument('users', $membership->getAttribute('userId'));
+        $user = !empty(array_filter($membershipsPrivacy))
+            ? $dbForProject->getDocument('users', $membership->getAttribute('userId'))
+            : new Document();

+        if ($membershipsPrivacy['mfa']) {
            $mfa = $user->getAttribute('mfa', false);

            if ($mfa) {
--- a/tests/e2e/Services/Teams/TeamsCustomClientTest.php
+++ b/tests/e2e/Services/Teams/TeamsCustomClientTest.php
@ -83,6 +83,38 @@ class TeamsCustomClientTest extends Scope
        $this->assertNotEmpty($response['body']['memberships'][0]['userName']);
        $this->assertNotEmpty($response['body']['memberships'][0]['userEmail']);
        $this->assertArrayHasKey('mfa', $response['body']['memberships'][0]);
+
+        /**
+         * Update project settings to show only MFA
+         */
+        $response = $this->client->call(Client::METHOD_PATCH, '/projects/' . $this->getProject()['$id'] . '/auth/memberships-privacy', array_merge([
+            'content-type' => 'application/json',
+            'x-appwrite-project' => 'console',
+            'cookie' => 'a_session_console=' . $this->getRoot()['session'],
+        ]), [
+            'userName' => false,
+            'userEmail' => false,
+            'mfa' => true,
+        ]);
+
+        $this->assertEquals(200, $response['headers']['status-code']);
+
+        /**
+         * Test that sensitive fields are not shown
+         */
+        $response = $this->client->call(Client::METHOD_GET, '/teams/' . $teamUid . '/memberships', array_merge([
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $projectId,
+        ], $this->getHeaders()));
+
+        $this->assertEquals(200, $response['headers']['status-code']);
+        $this->assertIsInt($response['body']['total']);
+        $this->assertNotEmpty($response['body']['memberships'][0]['$id']);
+
+        // Assert that sensitive fields are present
+        $this->assertEmpty($response['body']['memberships'][0]['userName']);
+        $this->assertEmpty($response['body']['memberships'][0]['userEmail']);
+        $this->assertArrayHasKey('mfa', $response['body']['memberships'][0]);
    }

    /**