]> git.immae.eu Git - github/Chocobozzz/PeerTube.git/blobdiff - server/middlewares/validators/videos/video-rates.ts
projects / github / Chocobozzz / PeerTube.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Check video privacy when creating comments/rates
[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / videos / video-rates.ts
diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts
index 204b4a78de1e069f1ccbb8f99c779473e62610ae..923bf3eaf9fe02da1ede9e845015a9a71f020afd 100644 (file)
--- a/server/middlewares/validators/videos/video-rates.ts
+++ b/server/middlewares/validators/videos/video-rates.ts
@@ -1,17 +1,18 @@
-import * as express from 'express'
-import 'express-validator'
-import { body, param, query } from 'express-validator/check'
-import { isIdOrUUIDValid } from '../../../helpers/custom-validators/misc'
+import express from 'express'
+import { body, param, query } from 'express-validator'
+import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes'
+import { VideoRateType } from '../../../../shared/models/videos'
+import { isAccountNameValid } from '../../../helpers/custom-validators/accounts'
+import { isIdValid } from '../../../helpers/custom-validators/misc'
 import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
-import { doesVideoExist, isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
+import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
 import { logger } from '../../../helpers/logger'
-import { areValidationErrors } from '../utils'
 import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
-import { VideoRateType } from '../../../../shared/models/videos'
-import { isAccountNameValid } from '../../../helpers/custom-validators/accounts'
+import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared'
 
 const videoUpdateRateValidator = [
-  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
+  isValidVideoIdParam('id'),
+
   body('rating').custom(isVideoRatingTypeValid).withMessage('Should have a valid rate type'),
 
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
@@ -20,25 +21,33 @@ const videoUpdateRateValidator = [
     if (areValidationErrors(req, res)) return
     if (!await doesVideoExist(req.params.id, res)) return
 
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot access to this ressource'
+      })
+    }
+
     return next()
   }
 ]
 
-const getAccountVideoRateValidator = function (rateType: VideoRateType) {
+const getAccountVideoRateValidatorFactory = function (rateType: VideoRateType) {
   return [
     param('name').custom(isAccountNameValid).withMessage('Should have a valid account name'),
-    param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'),
+    param('videoId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid videoId'),
 
     async (req: express.Request, res: express.Response, next: express.NextFunction) => {
       logger.debug('Checking videoCommentGetValidator parameters.', { parameters: req.params })
 
       if (areValidationErrors(req, res)) return
 
-      const rate = await AccountVideoRateModel.loadLocalAndPopulateVideo(rateType, req.params.name, req.params.videoId)
+      const rate = await AccountVideoRateModel.loadLocalAndPopulateVideo(rateType, req.params.name, +req.params.videoId)
       if (!rate) {
-        return res.status(404)
-                  .json({ error: 'Video rate not found' })
-                  .end()
+        return res.fail({
+          status: HttpStatusCode.NOT_FOUND_404,
+          message: 'Video rate not found'
+        })
       }
 
       res.locals.accountVideoRate = rate
@@ -51,7 +60,7 @@ const getAccountVideoRateValidator = function (rateType: VideoRateType) {
 const videoRatingValidator = [
   query('rating').optional().custom(isRatingValid).withMessage('Value must be one of "like" or "dislike"'),
 
-  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+  (req: express.Request, res: express.Response, next: express.NextFunction) => {
     logger.debug('Checking rating parameter', { parameters: req.params })
 
     if (areValidationErrors(req, res)) return
@@ -64,6 +73,6 @@ const videoRatingValidator = [
 
 export {
   videoUpdateRateValidator,
-  getAccountVideoRateValidator,
+  getAccountVideoRateValidatorFactory,
   videoRatingValidator
 }
ActivityPub-federated video streaming platform using P2P directly in your web browser