Don't leak unlisted videos in comments feed

diff --git a/server/controllers/feeds.ts b/server/controllers/feeds.ts
index 72628dffb94bc3d26a919a2971e44e3bc3d46965..cb82bfc6d2185f8bee5e076c698f9df325640349 100644 (file)
--- a/server/controllers/feeds.ts
+++ b/server/controllers/feeds.ts
@@ -67,7 +67,7 @@ async function generateVideoCommentsFeed (req: express.Request, res: express.Res
   const feed = initFeed(name, description)
 
   // Adding video items to the feed, one at a time
-  comments.forEach(comment => {
+  for (const comment of comments) {
     const link = WEBSERVER.URL + comment.getCommentStaticPath()
 
     let title = comment.Video.name
@@ -89,7 +89,7 @@ async function generateVideoCommentsFeed (req: express.Request, res: express.Res
       author,
       date: comment.createdAt
     })
-  })
+  }
 
   // Now the feed generation is done, let's send it!
   return sendFeed(feed, req, res)

diff --git a/server/models/video/video-comment.ts b/server/models/video/video-comment.ts
index b33c33d5efa002bc52f618584cefcfe508fa70a8..aedd7a3a95c9ebd506388e00790f9924eff8aec4 100644 (file)
--- a/server/models/video/video-comment.ts
+++ b/server/models/video/video-comment.ts
@@ -27,6 +27,7 @@ import {
   MCommentOwnerVideoReply
 } from '../../typings/models/video'
 import { MUserAccountId } from '@server/typings/models'
+import { VideoPrivacy } from '@shared/models'
 
 enum ScopeNames {
   WITH_ACCOUNT = 'WITH_ACCOUNT',
@@ -390,7 +391,10 @@ export class VideoCommentModel extends Model<VideoCommentModel> {
         {
           attributes: [ 'name', 'uuid' ],
           model: VideoModel.unscoped(),
-          required: true
+          required: true,
+          where: {
+            privacy: VideoPrivacy.PUBLIC
+          }
         }
       ]
     }

diff --git a/server/tests/feeds/feeds.ts b/server/tests/feeds/feeds.ts
index 4510177ccf0de942ae8f9d86d4bd76c07d72dafb..d978123cfc827449b0a22e28ae4da90f74146862 100644 (file)
--- a/server/tests/feeds/feeds.ts
+++ b/server/tests/feeds/feeds.ts
@@ -19,6 +19,7 @@ import * as libxmljs from 'libxmljs'
 import { addVideoCommentThread } from '../../../shared/extra-utils/videos/video-comments'
 import { waitJobs } from '../../../shared/extra-utils/server/jobs'
 import { User } from '../../../shared/models/users'
+import { VideoPrivacy } from '@shared/models'
 
 chai.use(require('chai-xml'))
 chai.use(require('chai-json-schema'))
@@ -77,6 +78,14 @@ describe('Test syndication feeds', () => {
       await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'super comment 2')
     }
 
+    {
+      const videoAttributes = { name: 'unlisted video', privacy: VideoPrivacy.UNLISTED }
+      const res = await uploadVideo(servers[0].url, servers[0].accessToken, videoAttributes)
+      const videoId = res.body.video.id
+
+      await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'comment on unlisted video')
+    }
+
     await waitJobs(servers)
   })
 
@@ -196,7 +205,8 @@ describe('Test syndication feeds', () => {
   })
 
   describe('Video comments feed', function () {
-    it('Should contain valid comments (covers JSON feed 1.0 endpoint)', async function () {
+
+    it('Should contain valid comments (covers JSON feed 1.0 endpoint) and not from unlisted videos', async function () {
       for (const server of servers) {
         const json = await getJSONfeed(server.url, 'video-comments')