X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fmiddlewares%2Fvalidators%2Fvideos.ts;h=a365ed217e8e6a7c2224b117bdd389c880d15548;hb=81ebea48bfba2d81e62dd7a0f01a0cadf41d2607;hp=e8cb2ae03202be93c34555075c7209538901f46b;hpb=47564bbe2eeb2baae9b7e3f9b2b8d16522bc7e04;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index e8cb2ae03..a365ed217 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -2,7 +2,7 @@ import * as express from 'express'
 import 'express-validator'
 import { body, param, query } from 'express-validator/check'
 import { UserRight, VideoPrivacy } from '../../../shared'
-import { isBooleanValid, isIdOrUUIDValid, isIdValid } from '../../helpers/custom-validators/misc'
+import { isBooleanValid, isIdOrUUIDValid, isIdValid, isUUIDValid } from '../../helpers/custom-validators/misc'
 import {
   isVideoAbuseReasonValid, isVideoCategoryValid, isVideoDescriptionValid, isVideoExist, isVideoFile, isVideoLanguageValid,
   isVideoLicenceValid, isVideoNameValid, isVideoPrivacyValid, isVideoRatingTypeValid, isVideoTagsValid
@@ -134,9 +134,18 @@ const videosGetValidator = [
 
     const video = res.locals.video
 
-    // Video is not private, anyone can access it
-    if (video.privacy !== VideoPrivacy.PRIVATE) return next()
+    // Video is public, anyone can access it
+    if (video.privacy === VideoPrivacy.PUBLIC) return next()
 
+    // Video is unlisted, check we used the uuid to fetch it
+    if (video.privacy === VideoPrivacy.UNLISTED) {
+      if (isUUIDValid(req.params.id)) return next()
+
+      // Don't leak this unlisted video
+      return res.status(404).end()
+    }
+
+    // Video is private, check the user
     authenticate(req, res, () => {
       if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
         return res.status(403)
@@ -253,7 +262,7 @@ function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: expre
   }
 
   // Check if the user can delete the video
-  // The user can delete it if s/he is an admin
+  // The user can delete it if he has the right
   // Or if s/he is the video's account
   const account = video.VideoChannel.Account
   if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) {