Ensure data-only viewers cannot use SPI to access user list

platform/lib/platform/permissions.ex

@@ -17,6 +17,16 @@ defmodule Platform.Permissions do
   alias Platform.Projects.ProjectMembership
   alias Platform.API.APIToken
 
+  def can_view_project_members?(%User{} = user, %Project{} = project) do
+    membership = Projects.get_project_membership_by_user_and_project(user, project)
+
+    can_view_project?(
+      user,
+      project,
+      membership
+    ) and membership.role != :data_only_viewer
+  end
+
   def can_view_project?(%User{} = user, %Project{} = project) do
     can_view_project?(
       user,

platform/lib/platform_web/controllers/spi/spi_controller.ex

@@ -18,7 +18,7 @@ defmodule PlatformWeb.SPIController do
 
     get_project_users = fn project ->
       if is_nil(project) or
-           not Permissions.can_view_project?(conn.assigns.current_user, project) do
+           not Permissions.can_view_project_members?(conn.assigns.current_user, project) do
         raise PlatformWeb.Errors.NotFound, "Project not found"
       end