Check video privacy when creating comments/rates

[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / videos / video-rates.ts

diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts
index 01bdef25fe3870da940a359829735300aa6e2b1e..923bf3eaf9fe02da1ede9e845015a9a71f020afd 100644 (file)
--- a/server/middlewares/validators/videos/video-rates.ts
+++ b/server/middlewares/validators/videos/video-rates.ts
@@ -1,18 +1,18 @@
-import * as express from 'express'
+import express from 'express'
 import { body, param, query } from 'express-validator'
-import { isIdOrUUIDValid, isIdValid } from '../../../helpers/custom-validators/misc'
+import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes'
+import { VideoRateType } from '../../../../shared/models/videos'
+import { isAccountNameValid } from '../../../helpers/custom-validators/accounts'
+import { isIdValid } from '../../../helpers/custom-validators/misc'
 import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
 import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
 import { logger } from '../../../helpers/logger'
-import { areValidationErrors } from '../utils'
 import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
-import { VideoRateType } from '../../../../shared/models/videos'
-import { isAccountNameValid } from '../../../helpers/custom-validators/accounts'
-import { doesVideoExist } from '../../../helpers/middlewares'
-import { HttpStatusCode } from '../../../../shared/core-utils/miscs/http-error-codes'
+import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared'
 
 const videoUpdateRateValidator = [
-  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
+  isValidVideoIdParam('id'),
+
   body('rating').custom(isVideoRatingTypeValid).withMessage('Should have a valid rate type'),
 
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
@@ -21,6 +21,13 @@ const videoUpdateRateValidator = [
     if (areValidationErrors(req, res)) return
     if (!await doesVideoExist(req.params.id, res)) return
 
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot access to this ressource'
+      })
+    }
+
     return next()
   }
 ]
@@ -37,8 +44,10 @@ const getAccountVideoRateValidatorFactory = function (rateType: VideoRateType) {
 
       const rate = await AccountVideoRateModel.loadLocalAndPopulateVideo(rateType, req.params.name, +req.params.videoId)
       if (!rate) {
-        return res.status(HttpStatusCode.NOT_FOUND_404)
-                  .json({ error: 'Video rate not found' })
+        return res.fail({
+          status: HttpStatusCode.NOT_FOUND_404,
+          message: 'Video rate not found'
+        })
       }
 
       res.locals.accountVideoRate = rate