Added permissions for revoked membership (#2016)

met-api/src/met_api/models/engagement.py

@@ -271,9 +271,11 @@ def _filter_by_assigned_engagements(query, external_user_id: int, exception_stat
             engagement_id
             for engagement_id, in (
                 db.session.query(Engagement.id)
-                .join(MembershipModel)
+                .join(MembershipModel, MembershipModel.engagement_id == Engagement.id)
                 .join(StaffUser, StaffUser.external_id == external_user_id)
                 .filter(MembershipModel.user_id == StaffUser.id)
+                .filter(MembershipModel.is_latest.is_(True))
+                .filter(MembershipModel.status == MembershipStatus.ACTIVE.value)
                 .all()
             )
         ]

met-api/src/met_api/services/membership_service.py

@@ -10,7 +10,9 @@
 from met_api.services.staff_user_service import KEYCLOAK_SERVICE, StaffUserService
 from met_api.utils.enums import KeycloakGroups, MembershipStatus
 from met_api.utils.constants import Groups
-from ..exceptions.business_exception import BusinessException
+from met_api.services import authorization
+from met_api.exceptions.business_exception import BusinessException
+from met_api.utils.roles import Role
 
 
 class MembershipService:
@@ -138,6 +140,12 @@ def update_membership_status(engagement_id: int, user_id: int, action: str):
         if membership.engagement_id != int(engagement_id):
             raise ValueError('Membership does not belong to this engagement.')
 
+        one_of_roles = (
+            MembershipType.TEAM_MEMBER.name,
+            Role.EDIT_MEMBERS.value
+        )
+        authorization.check_auth(one_of_roles=one_of_roles, engagement_id=engagement_id)
+
         if not membership:
             raise ValueError('Invalid Membership.')