From da6af4ae711a60f464ec4f7a0e61f40397424456 Mon Sep 17 00:00:00 2001
From: Mondo Diaz <armando.m.diaz@boeing.com>
Date: Wed, 28 Jan 2026 00:14:16 +0000
Subject: [PATCH] Fix team members not seeing private projects in listings

The list_projects endpoint was only showing projects that were public or
created by the user. Updated to also include projects belonging to teams
where the user is a member.

This allows team members to see private projects in the main project
listing, not just on the team dashboard.
---
 backend/app/routes.py | 39 +++++++++++++++++++++++++++++++++++----
 1 file changed, 35 insertions(+), 4 deletions(-)

diff --git a/backend/app/routes.py b/backend/app/routes.py
index 44bc830..ddff35a 100644
--- a/backend/app/routes.py
+++ b/backend/app/routes.py
@@ -1450,15 +1450,46 @@ def list_projects(
         )
 
     # Base query - filter by access
-    query = db.query(Project).filter(
-        or_(Project.is_public == True, Project.created_by == user_id)
-    )
+    # Users can see projects that are:
+    # 1. Public
+    # 2. Created by them
+    # 3. Belong to a team they're a member of
+    if current_user:
+        # Get team IDs where user is a member
+        user_team_ids = db.query(TeamMembership.team_id).filter(
+            TeamMembership.user_id == current_user.id
+        ).subquery()
+
+        query = db.query(Project).filter(
+            or_(
+                Project.is_public == True,
+                Project.created_by == user_id,
+                Project.team_id.in_(user_team_ids)
+            )
+        )
+    else:
+        # Anonymous users only see public projects
+        query = db.query(Project).filter(Project.is_public == True)
 
     # Apply visibility filter
     if visibility == "public":
         query = query.filter(Project.is_public == True)
     elif visibility == "private":
-        query = query.filter(Project.is_public == False, Project.created_by == user_id)
+        if current_user:
+            # Get team IDs where user is a member (for private filter)
+            user_team_ids_for_private = db.query(TeamMembership.team_id).filter(
+                TeamMembership.user_id == current_user.id
+            ).subquery()
+            query = query.filter(
+                Project.is_public == False,
+                or_(
+                    Project.created_by == user_id,
+                    Project.team_id.in_(user_team_ids_for_private)
+                )
+            )
+        else:
+            # Anonymous users can't see private projects
+            query = query.filter(False)
 
     # Apply search filter (case-insensitive on name and description)
     if search: