From ca533f40c97f8daf2056a958ce6cf835f3cf7466 Mon Sep 17 00:00:00 2001
From: loks0n <22452787+loks0n@users.noreply.github.com>
Date: Wed, 13 Nov 2024 10:45:50 +0100
Subject: [PATCH] fix: memberships-privacy mfa only

---
 app/controllers/api/teams.php                 | 11 +++++--
 .../Services/Teams/TeamsCustomClientTest.php  | 32 +++++++++++++++++++
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/app/controllers/api/teams.php b/app/controllers/api/teams.php
index be055f0935..ba1858c5aa 100644
--- a/app/controllers/api/teams.php
+++ b/app/controllers/api/teams.php
@@ -805,8 +805,11 @@ App::get('/v1/teams/:teamId/memberships')
         }, $membershipsPrivacy);
 
         $memberships = array_map(function ($membership) use ($dbForProject, $team, $membershipsPrivacy) {
+            $user = !empty(array_filter($membershipsPrivacy))
+                ? $dbForProject->getDocument('users', $membership->getAttribute('userId'))
+                : new Document();
+
             if ($membershipsPrivacy['mfa']) {
-                $user = $dbForProject->getDocument('users', $membership->getAttribute('userId'));
                 $mfa = $user->getAttribute('mfa', false);
 
                 if ($mfa) {
@@ -888,9 +891,11 @@ App::get('/v1/teams/:teamId/memberships/:membershipId')
             return $privacy || $isPrivilegedUser || $isAppUser;
         }, $membershipsPrivacy);
 
-        if ($membershipsPrivacy['mfa']) {
-            $user = $dbForProject->getDocument('users', $membership->getAttribute('userId'));
+        $user = !empty(array_filter($membershipsPrivacy))
+            ? $dbForProject->getDocument('users', $membership->getAttribute('userId'))
+            : new Document();
 
+        if ($membershipsPrivacy['mfa']) {
             $mfa = $user->getAttribute('mfa', false);
 
             if ($mfa) {
diff --git a/tests/e2e/Services/Teams/TeamsCustomClientTest.php b/tests/e2e/Services/Teams/TeamsCustomClientTest.php
index 03cb1983f1..7286bb0827 100644
--- a/tests/e2e/Services/Teams/TeamsCustomClientTest.php
+++ b/tests/e2e/Services/Teams/TeamsCustomClientTest.php
@@ -83,6 +83,38 @@ class TeamsCustomClientTest extends Scope
         $this->assertNotEmpty($response['body']['memberships'][0]['userName']);
         $this->assertNotEmpty($response['body']['memberships'][0]['userEmail']);
         $this->assertArrayHasKey('mfa', $response['body']['memberships'][0]);
+
+        /**
+         * Update project settings to show only MFA
+         */
+        $response = $this->client->call(Client::METHOD_PATCH, '/projects/' . $this->getProject()['$id'] . '/auth/memberships-privacy', array_merge([
+            'content-type' => 'application/json',
+            'x-appwrite-project' => 'console',
+            'cookie' => 'a_session_console=' . $this->getRoot()['session'],
+        ]), [
+            'userName' => false,
+            'userEmail' => false,
+            'mfa' => true,
+        ]);
+
+        $this->assertEquals(200, $response['headers']['status-code']);
+
+        /**
+         * Test that sensitive fields are not shown
+         */
+        $response = $this->client->call(Client::METHOD_GET, '/teams/' . $teamUid . '/memberships', array_merge([
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $projectId,
+        ], $this->getHeaders()));
+
+        $this->assertEquals(200, $response['headers']['status-code']);
+        $this->assertIsInt($response['body']['total']);
+        $this->assertNotEmpty($response['body']['memberships'][0]['$id']);
+
+        // Assert that sensitive fields are present
+        $this->assertEmpty($response['body']['memberships'][0]['userName']);
+        $this->assertEmpty($response['body']['memberships'][0]['userEmail']);
+        $this->assertArrayHasKey('mfa', $response['body']['memberships'][0]);
     }
 
     /**