Fix team run team interaction.

server/api_runs_test.go

@@ -548,6 +548,15 @@ func TestRunPostStatusUpdate(t *testing.T) {
 		assert.Error(t, err)
 	})
 
+	t.Run("no permissions to run", func(t *testing.T) {
+		_, err := e.ServerAdminClient.RemoveTeamMember(e.BasicRun.TeamID, e.RegularUser.Id)
+		require.NoError(t, err)
+		err = e.PlaybooksClient.PlaybookRuns.UpdateStatus(context.Background(), e.BasicRun.ID, "update", 600)
+		requireErrorWithStatusCode(t, err, http.StatusForbidden)
+		_, _, err = e.ServerAdminClient.AddTeamMember(e.BasicRun.TeamID, e.RegularUser.Id)
+		require.NoError(t, err)
+	})
+
 	t.Run("no permissions to run", func(t *testing.T) {
 		_, _, err := e.ServerAdminClient.AddChannelMember(e.BasicRun.ChannelID, e.RegularUser2.Id)
 		require.NoError(t, err)

server/app/permissions_service.go

@@ -410,6 +410,10 @@ func (p *PermissionsService) RunManageProperties(userID, runID string) error {
 }
 
 func (p *PermissionsService) runManagePropertiesWithPlaybookRun(userID string, run *PlaybookRun) error {
+	if !p.canViewTeam(userID, run.TeamID) {
+		return errors.Wrapf(ErrNoPermissions, "no run access; no team view permission for team `%s`", run.TeamID)
+	}
+
 	if run.OwnerUserID == userID {
 		return nil
 	}
@@ -433,6 +437,10 @@ func (p *PermissionsService) RunView(userID, runID string) error {
 		return errors.Wrapf(err, "Unable to get run to determine permissions, run id `%s`", runID)
 	}
 
+	if !p.canViewTeam(userID, run.TeamID) {
+		return errors.Wrapf(ErrNoPermissions, "no run access; no team view permission for team `%s`", run.TeamID)
+	}
+
 	// Has permission if is the owner of the run
 	if run.OwnerUserID == userID {
 		return nil