fix(team_endpoints.py): check if key belongs to team before returning /team/info

2024-07-16 21:16:34 -07:00 · 2024-07-16 21:16:34 -07:00 · ccbc7cfb9f
commit ccbc7cfb9f
parent dec5c7a2ba
5 changed files with 15 additions and 9 deletions
--- a/litellm/proxy/management_endpoints/team_endpoints.py
+++ b/litellm/proxy/management_endpoints/team_endpoints.py
@ -713,6 +713,7 @@ async def team_info(
    team_id: str = fastapi.Query(
        default=None, description="Team ID in the request parameters"
    ),
+    user_api_key_dict: UserAPIKeyAuth = Depends(user_api_key_auth),
 ):
    """
    get info on team + related keys
@ -747,6 +748,12 @@ async def team_info(
                detail={"message": "Malformed request. No team id passed in."},
            )

+        if user_api_key_dict.team_id or (team_id != user_api_key_dict.team_id):
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="key not allowed to access this team's info",
+            )
+
        team_info = await prisma_client.get_data(
            team_id=team_id, table_name="team", query_type="find_unique"
        )