fix(proxy_server.py): secure /team/info endpoint

make sure user requesting team info is part of team or admin
2024-04-16 11:39:52 -07:00 · 2024-04-16 11:39:52 -07:00 · 3f8abe2754
commit 3f8abe2754
parent 77df5d7658
2 changed files with 39 additions and 0 deletions
--- a/litellm/proxy/proxy_server.py
+++ b/litellm/proxy/proxy_server.py
@ -1040,6 +1040,15 @@ async def user_api_key_auth(
                elif route == "/model/info":
                    # /model/info just shows models user has access to
                    pass
+                elif route == "/team/info":
+                    # check if key can access this team's info
+                    query_params = request.query_params
+                    team_id = query_params.get("team_id")
+                    if team_id != valid_token.team_id:
+                        raise HTTPException(
+                            status_code=status.HTTP_403_FORBIDDEN,
+                            detail="key not allowed to access this team's info",
+                        )
                else:
                    raise Exception(
                        f"Only master key can be used to generate, delete, update info for new keys/users."