X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fmiddlewares%2Fvalidators%2Fvideos.ts;h=a2c8661522a21994061267fa359225dabc819e98;hb=d9eaee3939bf2e93e5d775d32bce77842201faba;hp=9357c1e39709ea3c1e5869c73181fd8bffad804c;hpb=cf7a61b5a2b68fd966c4a355e37e84b048ed296b;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index 9357c1e39..a2c866152 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -14,7 +14,6 @@ import {
 import {
   checkUserCanManageVideo,
   isScheduleVideoUpdatePrivacyValid,
-  isVideoAbuseReasonValid,
   isVideoCategoryValid,
   isVideoChannelOfAccountExist,
   isVideoDescriptionValid,
@@ -35,7 +34,9 @@ import { CONSTRAINTS_FIELDS } from '../../initializers'
 import { VideoShareModel } from '../../models/video/video-share'
 import { authenticate } from '../oauth'
 import { areValidationErrors } from './utils'
-import { cleanUpReqFiles } from '../../helpers/utils'
+import { cleanUpReqFiles } from '../../helpers/express-utils'
+import { VideoModel } from '../../models/video/video'
+import { UserModel } from '../../models/account/user'
 
 const videosAddValidator = getCommonVideoAttributes().concat([
   body('videofile')
@@ -132,7 +133,25 @@ const videosGetValidator = [
     if (areValidationErrors(req, res)) return
     if (!await isVideoExist(req.params.id, res)) return
 
-    const video = res.locals.video
+    const video: VideoModel = res.locals.video
+
+    // Video private or blacklisted
+    if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) {
+      return authenticate(req, res, () => {
+        const user: UserModel = res.locals.oauth.token.User
+
+        // Only the owner or a user that have blacklist rights can see the video
+        if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) {
+          return res.status(403)
+                    .json({ error: 'Cannot get this private or blacklisted video.' })
+                    .end()
+        }
+
+        return next()
+      })
+
+      return
+    }
 
     // Video is public, anyone can access it
     if (video.privacy === VideoPrivacy.PUBLIC) return next()
@@ -144,17 +163,6 @@ const videosGetValidator = [
       // Don't leak this unlisted video
       return res.status(404).end()
     }
-
-    // Video is private, check the user
-    authenticate(req, res, () => {
-      if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
-        return res.status(403)
-          .json({ error: 'Cannot get this private video of another user' })
-          .end()
-      }
-
-      return next()
-    })
   }
 ]
 
@@ -174,20 +182,6 @@ const videosRemoveValidator = [
   }
 ]
 
-const videoAbuseReportValidator = [
-  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
-  body('reason').custom(isVideoAbuseReasonValid).withMessage('Should have a valid reason'),
-
-  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
-    logger.debug('Checking videoAbuseReport parameters', { parameters: req.body })
-
-    if (areValidationErrors(req, res)) return
-    if (!await isVideoExist(req.params.id, res)) return
-
-    return next()
-  }
-]
-
 const videoRateValidator = [
   param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
   body('rating').custom(isVideoRatingTypeValid).withMessage('Should have a valid rate type'),
@@ -223,36 +217,6 @@ const videosShareValidator = [
   }
 ]
 
-// ---------------------------------------------------------------------------
-
-export {
-  videosAddValidator,
-  videosUpdateValidator,
-  videosGetValidator,
-  videosRemoveValidator,
-  videosShareValidator,
-
-  videoAbuseReportValidator,
-
-  videoRateValidator
-}
-
-// ---------------------------------------------------------------------------
-
-function areErrorsInScheduleUpdate (req: express.Request, res: express.Response) {
-  if (req.body.scheduleUpdate) {
-    if (!req.body.scheduleUpdate.updateAt) {
-      res.status(400)
-         .json({ error: 'Schedule update at is mandatory.' })
-         .end()
-
-      return true
-    }
-  }
-
-  return false
-}
-
 function getCommonVideoAttributes () {
   return [
     body('thumbnailfile')
@@ -319,3 +283,33 @@ function getCommonVideoAttributes () {
       .custom(isScheduleVideoUpdatePrivacyValid).withMessage('Should have correct schedule update privacy')
   ] as (ValidationChain | express.Handler)[]
 }
+
+// ---------------------------------------------------------------------------
+
+export {
+  videosAddValidator,
+  videosUpdateValidator,
+  videosGetValidator,
+  videosRemoveValidator,
+  videosShareValidator,
+
+  videoRateValidator,
+
+  getCommonVideoAttributes
+}
+
+// ---------------------------------------------------------------------------
+
+function areErrorsInScheduleUpdate (req: express.Request, res: express.Response) {
+  if (req.body.scheduleUpdate) {
+    if (!req.body.scheduleUpdate.updateAt) {
+      res.status(400)
+         .json({ error: 'Schedule update at is mandatory.' })
+         .end()
+
+      return true
+    }
+  }
+
+  return false
+}