import 'express-validator'
import { body, param, query } from 'express-validator/check'
import { UserRight, VideoPrivacy } from '../../../shared'
-import { isBooleanValid, isIdOrUUIDValid, isIdValid } from '../../helpers/custom-validators/misc'
+import { isBooleanValid, isIdOrUUIDValid, isIdValid, isUUIDValid } from '../../helpers/custom-validators/misc'
import {
isVideoAbuseReasonValid, isVideoCategoryValid, isVideoDescriptionValid, isVideoExist, isVideoFile, isVideoLanguageValid,
isVideoLicenceValid, isVideoNameValid, isVideoPrivacyValid, isVideoRatingTypeValid, isVideoTagsValid
const video = res.locals.video
- // Video is not private, anyone can access it
- if (video.privacy !== VideoPrivacy.PRIVATE) return next()
+ // Video is public, anyone can access it
+ if (video.privacy === VideoPrivacy.PUBLIC) return next()
+ // Video is unlisted, check we used the uuid to fetch it
+ if (video.privacy === VideoPrivacy.UNLISTED) {
+ if (isUUIDValid(req.params.id)) return next()
+
+ // Don't leak this unlisted video
+ return res.status(404).end()
+ }
+
+ // Video is private, check the user
authenticate(req, res, () => {
if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
return res.status(403)
}
// Check if the user can delete the video
- // The user can delete it if s/he is an admin
+ // The user can delete it if he has the right
// Or if s/he is the video's account
const account = video.VideoChannel.Account
if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) {
projects / github / Chocobozzz / PeerTube.git / blobdiff