Fix video right check

diff --git a/server/middlewares/auth.ts b/server/middlewares/auth.ts
index c5424be979b1703b7ba479a63c9925fa424c7871..ad3b24ab21c27a1147aa3ca59ce8db56154f02c1 100644 (file)
--- a/server/middlewares/auth.ts
+++ b/server/middlewares/auth.ts
@@ -47,7 +47,7 @@ function authenticateSocket (socket: Socket, next: (err?: any) => void) {
     .catch(err => logger.error('Cannot get access token.', { err }))
 }
 
-function authenticatePromiseIfNeeded (req: express.Request, res: express.Response, authenticateInQuery = false) {
+function authenticatePromise (req: express.Request, res: express.Response, authenticateInQuery = false) {
   return new Promise<void>(resolve => {
     // Already authenticated? (or tried to)
     if (res.locals.oauth?.token.User) return resolve()
@@ -76,6 +76,6 @@ function optionalAuthenticate (req: express.Request, res: express.Response, next
 export {
   authenticate,
   authenticateSocket,
-  authenticatePromiseIfNeeded,
+  authenticatePromise,
   optionalAuthenticate
 }

diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts
index 39aab6df7207aae0bf24c1c37dcef2132076b717..2c2ae381127f4294e3b42ef24cd5bff2f6b3d654 100644 (file)
--- a/server/middlewares/validators/shared/videos.ts
+++ b/server/middlewares/validators/shared/videos.ts
@@ -2,7 +2,7 @@ import { Request, Response } from 'express'
 import { isUUIDValid } from '@server/helpers/custom-validators/misc'
 import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
 import { isAbleToUploadVideo } from '@server/lib/user'
-import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'
+import { authenticatePromise } from '@server/middlewares/auth'
 import { VideoModel } from '@server/models/video/video'
 import { VideoChannelModel } from '@server/models/video/video-channel'
 import { VideoFileModel } from '@server/models/video/video-file'
@@ -137,7 +137,7 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
     return false
   }
 
-  await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
+  await authenticatePromise(req, res, authenticateInQuery)
 
   const user = res.locals.oauth?.token.User
   if (!user) return fail()
@@ -154,14 +154,15 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
   }
 
   const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id
-  if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) {
-    if (isOwnedByUser && user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true
+
+  if (videoWithRights.isBlacklisted()) {
+    if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true
 
     return fail()
   }
 
-  if (videoWithRights.isBlacklisted()) {
-    if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true
+  if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) {
+    if (isOwnedByUser || user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true
 
     return fail()
   }

diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts
index 241b9ed7b2eb2357151a60e8b0ab5e53244ae767..d514ae0ad19cf48bfcea355ece8a138a2e2a65f5 100644 (file)
--- a/server/middlewares/validators/videos/video-playlists.ts
+++ b/server/middlewares/validators/videos/video-playlists.ts
@@ -33,7 +33,7 @@ import { logger } from '../../../helpers/logger'
 import { CONSTRAINTS_FIELDS } from '../../../initializers/constants'
 import { VideoPlaylistElementModel } from '../../../models/video/video-playlist-element'
 import { MVideoPlaylist } from '../../../types/models/video/video-playlist'
-import { authenticatePromiseIfNeeded } from '../../auth'
+import { authenticatePromise } from '../../auth'
 import {
   areValidationErrors,
   doesVideoChannelIdExist,
@@ -161,7 +161,7 @@ const videoPlaylistsGetValidator = (fetchType: VideoPlaylistFetchType) => {
       }
 
       if (videoPlaylist.privacy === VideoPlaylistPrivacy.PRIVATE) {
-        await authenticatePromiseIfNeeded(req, res)
+        await authenticatePromise(req, res)
 
         const user = res.locals.oauth ? res.locals.oauth.token.User : null
 

diff --git a/server/tests/api/videos/video-privacy.ts b/server/tests/api/videos/video-privacy.ts
index 3051a443d8eaae9d94d3bfc6875d5b677c6b1235..1073aee8c48a538527665beecc7448c09c3dcae9 100644 (file)
--- a/server/tests/api/videos/video-privacy.ts
+++ b/server/tests/api/videos/video-privacy.ts
@@ -162,7 +162,7 @@ describe('Test video privacy', function () {
     })
 
     it('Should not be able to get this unlisted video using its id', async function () {
-      await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
+      await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
     })
 
     it('Should be able to get this unlisted video using its uuid/shortUUID', async function () {