- const user = res.locals.oauth ? res.locals.oauth.token.User : null
-
- // Only the owner or a user that have blocklist rights can see the video
- if (!user || !user.canGetVideo(video)) {
- return res.fail({
- status: HttpStatusCode.FORBIDDEN_403,
- message: 'Cannot get this private/internal or blocklisted video'
- })
- }
-
- return next()
- }
-
- // Video is public, anyone can access it
- if (video.privacy === VideoPrivacy.PUBLIC) return next()
-
- // Video is unlisted, check we used the uuid to fetch it
- if (video.privacy === VideoPrivacy.UNLISTED) {
- if (isUUIDValid(req.params.id)) return next()
-
- // Don't leak this unlisted video
- return res.fail({
- status: HttpStatusCode.NOT_FOUND_404,
- message: 'Video not found'
- })
- }