fix: team filter not working for uploaded software (#19159)

> Related issue: #19153

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality

changes/19153-duplicate

@@ -0,0 +1 @@
+- Fixes a bug that caused the `GET /software/titles` endpoint to ignore the team filter for uploaded software.

server/datastore/mysql/software_titles.go

@@ -204,7 +204,7 @@ SELECT
 	MAX(COALESCE(sthc.updated_at, date('0001-01-01 00:00:00'))) as counts_updated_at,
 	si.filename as software_package
 FROM software_titles st
-LEFT JOIN software_installers si ON si.title_id = st.id
+LEFT JOIN software_installers si ON si.title_id = st.id AND COALESCE(si.team_id, 0) = ?
 LEFT JOIN software_titles_host_counts sthc ON sthc.software_title_id = st.id AND sthc.team_id = ?
 -- placeholder for JOIN on software/software_cve
 %s
@@ -220,9 +220,10 @@ GROUP BY st.id, software_package`
 	}
 
 	var globalOrTeamID uint
-	args := []any{0}
+	args := []any{0, 0}
 	if opt.TeamID != nil {
 		args[0] = *opt.TeamID
+		args[1] = *opt.TeamID
 		globalOrTeamID = *opt.TeamID
 	}
 

server/service/integration_enterprise_test.go

@@ -7629,6 +7629,7 @@ func (s *integrationEnterpriseTestSuite) TestAllSoftwareTitles() {
 	payload := &fleet.UploadSoftwareInstallerPayload{
 		InstallScript: "install",
 		Filename:      "ruby.deb",
+		TeamID:        &team1.ID,
 	}
 	s.uploadSoftwareInstaller(payload, http.StatusOK, "")
 
@@ -7638,6 +7639,30 @@ func (s *integrationEnterpriseTestSuite) TestAllSoftwareTitles() {
 		listSoftwareTitlesRequest{},
 		http.StatusOK, &resp,
 		"query", "ruby",
+		"team_id", fmt.Sprintf("%d", team1.ID),
+	)
+
+	require.Len(t, resp.SoftwareTitles, 1)
+	require.NotNil(t, resp.SoftwareTitles[0].SoftwarePackage)
+	require.Equal(t, "ruby.deb", *resp.SoftwareTitles[0].SoftwarePackage)
+
+	// Upload an installer for the same software but different arch to a different team
+	payload = &fleet.UploadSoftwareInstallerPayload{
+		InstallScript: "install",
+		Filename:      "ruby_arm64.deb",
+		TeamID:        &team2.ID,
+	}
+	s.uploadSoftwareInstaller(payload, http.StatusOK, "")
+
+	// We should only see the one we uploaded to team 1
+
+	resp = listSoftwareTitlesResponse{}
+	s.DoJSON(
+		"GET", "/api/latest/fleet/software/titles",
+		listSoftwareTitlesRequest{},
+		http.StatusOK, &resp,
+		"query", "ruby",
+		"team_id", fmt.Sprintf("%d", team1.ID),
 	)
 
 	require.Len(t, resp.SoftwareTitles, 1)