Add tests and fix bugs for video privacy

8 files changed, 440 insertions, 404 deletions

diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts
index dcd407fdf..bacfc4552 100644
--- a/server/controllers/api/users.ts
+++ b/server/controllers/api/users.ts
@@ -171,7 +171,7 @@ async function getUserInformation (req: express.Request, res: express.Response,
 }
 
 function getUser (req: express.Request, res: express.Response, next: express.NextFunction) {
-  return res.json(res.locals.oauth.token.User.toFormattedJSON())
+  return res.json(res.locals.user.toFormattedJSON())
 }
 
 async function getUserVideoRating (req: express.Request, res: express.Response, next: express.NextFunction) {
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index e197d4606..15b4629c1 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -24,6 +24,7 @@ import {
   isVideoPrivacyValid
 } from '../../helpers'
 import { UserRight, VideoPrivacy } from '../../../shared'
+import { authenticate } from '../oauth'
 
 const videosAddValidator = [
   body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage(
@@ -112,7 +113,7 @@ const videosUpdateValidator = [
   body('licence').optional().custom(isVideoLicenceValid).withMessage('Should have a valid licence'),
   body('language').optional().custom(isVideoLanguageValid).withMessage('Should have a valid language'),
   body('nsfw').optional().custom(isVideoNSFWValid).withMessage('Should have a valid NSFW attribute'),
-  body('privacy').custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'),
+  body('privacy').optional().custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'),
   body('description').optional().custom(isVideoDescriptionValid).withMessage('Should have a valid description'),
   body('tags').optional().custom(isVideoTagsValid).withMessage('Should have correct tags'),
 
@@ -155,7 +156,22 @@ const videosGetValidator = [
     logger.debug('Checking videosGet parameters', { parameters: req.params })
 
     checkErrors(req, res, () => {
-      checkVideoExists(req.params.id, res, next)
+      checkVideoExists(req.params.id, res, () => {
+        const video = res.locals.video
+
+        // Video is not private, anyone can access it
+        if (video.privacy !== VideoPrivacy.PRIVATE) return next()
+
+        authenticate(req, res, () => {
+          if (video.VideoChannel.Author.userId !== res.locals.oauth.token.User.id) {
+            return res.status(403)
+              .json({ error: 'Cannot get this private video of another user' })
+              .end()
+          }
+
+          next()
+        })
+      })
     })
   }
 ]
@@ -232,28 +248,23 @@ export {
 
 function checkUserCanDeleteVideo (userId: number, res: express.Response, callback: () => void) {
   // Retrieve the user who did the request
-  db.User.loadById(userId)
-    .then(user => {
-      if (res.locals.video.isOwned() === false) {
-        return res.status(403)
-                  .json({ error: 'Cannot remove video of another pod, blacklist it' })
-                  .end()
-      }
-
-      // Check if the user can delete the video
-      // The user can delete it if s/he is an admin
-      // Or if s/he is the video's author
-      if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
-        return res.status(403)
-                  .json({ error: 'Cannot remove video of another user' })
-                  .end()
-      }
-
-      // If we reach this comment, we can delete the video
-      callback()
-    })
-    .catch(err => {
-      logger.error('Error in video request validator.', err)
-      return res.sendStatus(500)
-    })
+  if (res.locals.video.isOwned() === false) {
+    return res.status(403)
+              .json({ error: 'Cannot remove video of another pod, blacklist it' })
+              .end()
+  }
+
+  // Check if the user can delete the video
+  // The user can delete it if s/he is an admin
+  // Or if s/he is the video's author
+  const author = res.locals.video.VideoChannel.Author
+  const user = res.locals.oauth.token.User
+  if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && author.userId !== user.id) {
+    return res.status(403)
+              .json({ error: 'Cannot remove video of another user' })
+              .end()
+  }
+
+  // If we reach this comment, we can delete the video
+  callback()
 }
diff --git a/server/tests/api/check-params/videos.ts b/server/tests/api/check-params/videos.ts
index c59f5da93..5860e9195 100644
--- a/server/tests/api/check-params/videos.ts
+++ b/server/tests/api/check-params/videos.ts
@@ -19,12 +19,46 @@ import {
   createUser,
   getUserAccessToken
 } from '../../utils'
+import { VideoPrivacy } from '../../../../shared/models/videos/video-privacy.enum'
 
 describe('Test videos API validator', function () {
   const path = '/api/v1/videos/'
   let server: ServerInfo
   let channelId: number
 
+  function getCompleteVideoUploadAttributes () {
+    return {
+      name: 'my super name',
+      category: 5,
+      licence: 1,
+      language: 6,
+      nsfw: false,
+      description: 'my super description',
+      tags: [ 'tag1', 'tag2' ],
+      privacy: VideoPrivacy.PUBLIC,
+      channelId
+    }
+  }
+
+  function getCompleteVideoUpdateAttributes () {
+    return {
+      name: 'my super name',
+      category: 5,
+      licence: 2,
+      language: 6,
+      nsfw: false,
+      description: 'my super description',
+      privacy: VideoPrivacy.PUBLIC,
+      tags: [ 'tag1', 'tag2' ]
+    }
+  }
+
+  function getVideoUploadAttaches () {
+    return {
+      'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
+    }
+  }
+
   // ---------------------------------------------------------------
 
   before(async function () {
@@ -99,6 +133,37 @@ describe('Test videos API validator', function () {
     })
   })
 
+  describe('When listing my videos', function () {
+    const path = '/api/v1/users/me/videos'
+
+    it('Should fail with a bad start pagination', async function () {
+      await request(server.url)
+        .get(path)
+        .set('Authorization', 'Bearer ' + server.accessToken)
+        .query({ start: 'hello' })
+        .set('Accept', 'application/json')
+        .expect(400)
+    })
+
+    it('Should fail with a bad count pagination', async function () {
+      await request(server.url)
+        .get(path)
+        .set('Authorization', 'Bearer ' + server.accessToken)
+        .query({ count: 'hello' })
+        .set('Accept', 'application/json')
+        .expect(400)
+    })
+
+    it('Should fail with an incorrect sort', async function () {
+      await request(server.url)
+        .get(path)
+        .set('Authorization', 'Bearer ' + server.accessToken)
+        .query({ sort: 'hello' })
+        .set('Accept', 'application/json')
+        .expect(400)
+    })
+  })
+
   describe('When adding a video', function () {
     it('Should fail with nothing', async function () {
       const fields = {}
@@ -107,219 +172,108 @@ describe('Test videos API validator', function () {
     })
 
     it('Should fail without name', async function () {
-      const fields = {
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      delete fields.name
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail with a long name', async function () {
-      const fields = {
-        name: 'My very very very very very very very very very very very very very very very very very  ' +
-              'very very very very very very very very very very very very very very very very long long' +
-              'very very very very very very very very very very very very very very very very long name',
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      fields.name = 'My very very very very very very very very very very very very very very very very very  ' +
+                    'very very very very very very very very very very very very very very very very long long' +
+                    'very very very very very very very very very very very very very very very very long name'
+
+      const attaches = getVideoUploadAttaches
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail without a category', async function () {
-      const fields = {
-        name: 'my super name',
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      delete fields.category
+
+      const attaches = getVideoUploadAttaches
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail with a bad category', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 125,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      fields.category = 125
+
+      const attaches = getVideoUploadAttaches
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail without a licence', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      delete fields.licence
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail with a bad licence', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 125,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      fields.licence = 125
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail with a bad language', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 4,
-        language: 563,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      fields.language = 563
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail without nsfw attribute', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 4,
-        language: 6,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      delete fields.nsfw
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail with a bad nsfw attribute', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 4,
-        language: 6,
-        nsfw: 2,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      fields.nsfw = 2 as any
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail without description', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      delete fields.description
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail with a long description', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description which is very very very very very very very very very very very very very very long'.repeat(35),
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      fields.description = 'my super description which is very very very very very very very very very very very very long'.repeat(35)
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail without a channel', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ]
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      delete fields.channelId
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail with a bad channel', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId: 545454
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      fields.channelId = 545454
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
@@ -332,101 +286,47 @@ describe('Test videos API validator', function () {
 
       const accessTokenUser = await getUserAccessToken(server, user)
       const res = await getMyUserInformation(server.url, accessTokenUser)
-      const channelId = res.body.videoChannels[0].id
+      const customChannelId = res.body.videoChannels[0].id
 
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      fields.channelId = customChannelId
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail with too many tags', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      fields.tags = [ 'tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6' ]
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail with a tag length too low', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 't' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      fields.tags = [ 'tag1', 't' ]
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail with a tag length too big', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'my_super_tag_too_long_long_long_long_long_long', 'tag1' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      fields.tags = [ 'my_super_tag_too_long_long_long_long_long_long', 'tag1' ]
+
+      const attaches = getVideoUploadAttaches()
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail without an input file', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
+      const fields = getCompleteVideoUploadAttributes()
       const attaches = {}
       await makePostUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
     })
 
     it('Should fail without an incorrect input file', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
+      const fields = getCompleteVideoUploadAttributes()
       const attaches = {
         'videofile': join(__dirname, '..', 'fixtures', 'video_short_fake.webm')
       }
@@ -434,16 +334,7 @@ describe('Test videos API validator', function () {
     })
 
     it('Should fail with a too big duration', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
+      const fields = getCompleteVideoUploadAttributes()
       const attaches = {
         'videofile': join(__dirname, '..', 'fixtures', 'video_too_long.webm')
       }
@@ -453,19 +344,8 @@ describe('Test videos API validator', function () {
     it('Should succeed with the correct parameters', async function () {
       this.timeout(10000)
 
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 1,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ],
-        channelId
-      }
-      const attaches = {
-        'videofile': join(__dirname, '..', 'fixtures', 'video_short.webm')
-      }
+      const fields = getCompleteVideoUploadAttributes()
+      const attaches = getVideoUploadAttaches()
 
       await makePostUploadRequest({
         url: server.url,
@@ -512,26 +392,13 @@ describe('Test videos API validator', function () {
     })
 
     it('Should fail without a valid uuid', async function () {
-      const fields = {
-        category: 5,
-        licence: 2,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ]
-      }
+      const fields = getCompleteVideoUpdateAttributes()
       await makePutBodyRequest({ url: server.url, path: path + 'blabla', token: server.accessToken, fields })
     })
 
     it('Should fail with an unknown id', async function () {
-      const fields = {
-        category: 5,
-        licence: 2,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ]
-      }
+      const fields = getCompleteVideoUpdateAttributes()
+
       await makePutBodyRequest({
         url: server.url,
         path: path + '4da6fde3-88f7-4d16-b119-108df5630b06',
@@ -542,127 +409,77 @@ describe('Test videos API validator', function () {
     })
 
     it('Should fail with a long name', async function () {
-      const fields = {
-        name: 'My very very very very very very very very very very very very very very very very very  ' +
-        'very very very very very very very very very very very very very very very very long long' +
-        'very very very very very very very very very very very very very very very very long name',
-        category: 5,
-        licence: 2,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ]
-      }
+      const fields = getCompleteVideoUpdateAttributes()
+      fields.name = 'My very very very very very very very very very very very very very very very very long'.repeat(3)
+
       await makePutBodyRequest({ url: server.url, path: path + videoId, token: server.accessToken, fields })
     })
 
     it('Should fail with a bad category', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 128,
-        licence: 2,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ]
-      }
+      const fields = getCompleteVideoUpdateAttributes()
+      fields.category = 128
+
       await makePutBodyRequest({ url: server.url, path: path + videoId, token: server.accessToken, fields })
     })
 
     it('Should fail with a bad licence', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 128,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ]
-      }
+      const fields = getCompleteVideoUpdateAttributes()
+      fields.licence = 128
+
       await makePutBodyRequest({ url: server.url, path: path + videoId, token: server.accessToken, fields })
     })
 
     it('Should fail with a bad language', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 3,
-        language: 896,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ]
-      }
+      const fields = getCompleteVideoUpdateAttributes()
+      fields.language = 896
+
       await makePutBodyRequest({ url: server.url, path: path + videoId, token: server.accessToken, fields })
     })
 
     it('Should fail with a bad nsfw attribute', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 5,
-        language: 6,
-        nsfw: -4,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2' ]
-      }
+      const fields = getCompleteVideoUpdateAttributes()
+      fields.nsfw = (-4 as any)
+
       await makePutBodyRequest({ url: server.url, path: path + videoId, token: server.accessToken, fields })
     })
 
     it('Should fail with a long description', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 2,
-        language: 6,
-        nsfw: false,
-        description: 'my super description which is very very very very very very very very very very very very very long'.repeat(35),
-        tags: [ 'tag1', 'tag2' ]
-      }
+      const fields = getCompleteVideoUpdateAttributes()
+      fields.description = 'my super description which is very very very very very very very very very very very very very long'.repeat(35)
+
       await makePutBodyRequest({ url: server.url, path: path + videoId, token: server.accessToken, fields })
     })
 
     it('Should fail with too many tags', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 2,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6' ]
-      }
+      const fields = getCompleteVideoUpdateAttributes()
+      fields.tags = [ 'tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6' ]
+
       await makePutBodyRequest({ url: server.url, path: path + videoId, token: server.accessToken, fields })
     })
 
     it('Should fail with a tag length too low', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 2,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'tag1', 't' ]
-      }
+      const fields = getCompleteVideoUpdateAttributes()
+      fields.tags = [ 'tag1', 't' ]
+
       await makePutBodyRequest({ url: server.url, path: path + videoId, token: server.accessToken, fields })
     })
 
     it('Should fail with a tag length too big', async function () {
-      const fields = {
-        name: 'my super name',
-        category: 5,
-        licence: 2,
-        language: 6,
-        nsfw: false,
-        description: 'my super description',
-        tags: [ 'my_super_tag_too_long_long_long_long', 'tag1' ]
-      }
+      const fields = getCompleteVideoUpdateAttributes()
+      fields.tags = [ 'my_super_tag_too_long_long_long_long', 'tag1' ]
+
       await makePutBodyRequest({ url: server.url, path: path + videoId, token: server.accessToken, fields })
     })
 
     it('Should fail with a video of another user')
 
     it('Should fail with a video of another pod')
+
+    it('Should succeed with the correct parameters', async function () {
+      const fields = getCompleteVideoUpdateAttributes()
+
+      await makePutBodyRequest({ url: server.url, path: path + videoId, token: server.accessToken, fields, statusCodeExpected: 204 })
+    })
   })
 
   describe('When getting a video', function () {
diff --git a/server/tests/api/index.ts b/server/tests/api/index.ts
index 2ff0ecf24..371f1bc43 100644
--- a/server/tests/api/index.ts
+++ b/server/tests/api/index.ts
@@ -8,6 +8,7 @@ import './video-abuse'
 import './video-blacklist'
 import './video-blacklist-management'
 import './video-description'
+import './video-privacy'
 import './multiple-pods'
 import './services'
 import './request-schedulers'
diff --git a/server/tests/api/single-pod.ts b/server/tests/api/single-pod.ts
index d3a982436..3a05d0727 100644
--- a/server/tests/api/single-pod.ts
+++ b/server/tests/api/single-pod.ts
@@ -22,6 +22,7 @@ import {
   getVideoCategories,
   getVideoLicences,
   getVideoLanguages,
+  getVideoPrivacies,
   testVideoImage,
   webtorrentAdd,
   getVideo,
@@ -76,6 +77,15 @@ describe('Test a single pod', function () {
     expect(languages[3]).to.equal('Mandarin')
   })
 
+  it('Should list video privacies', async function () {
+    const res = await getVideoPrivacies(server.url)
+
+    const privacies = res.body
+    expect(Object.keys(privacies)).to.have.length.at.least(3)
+
+    expect(privacies[3]).to.equal('Private')
+  })
+
   it('Should not have videos', async function () {
     const res = await getVideosList(server.url)
 
@@ -482,19 +492,6 @@ describe('Test a single pod', function () {
   //   })
   // })
 
-  it('Should search the right magnetUri video', async function () {
-    const video = videosListBase[0]
-    const res = await getVideo(server.url, video.id)
-    const videoDetails = res.body
-
-    const res2 = await searchVideoWithPagination(server.url, encodeURIComponent(videoDetails.files[0].magnetUri), 'magnetUri', 0, 15)
-
-    const videos = res2.body.data
-    expect(res2.body.total).to.equal(1)
-    expect(videos.length).to.equal(1)
-    expect(videos[0].name).to.equal(video.name)
-  })
-
   it('Should list and sort by name in descending order', async function () {
     const res = await getVideosListSort(server.url, '-name')
 
diff --git a/server/tests/api/users.ts b/server/tests/api/users.ts
index bdef62c46..6f40ca3c9 100644
--- a/server/tests/api/users.ts
+++ b/server/tests/api/users.ts
@@ -31,6 +31,7 @@ import {
   getBlacklistedVideosList
 } from '../utils'
 import { UserRole } from '../../../shared'
+import { getMyVideos } from '../utils/videos'
 
 describe('Test users', function () {
   let server: ServerInfo
@@ -197,10 +198,22 @@ describe('Test users', function () {
   it('Should be able to upload a video with this user', async function () {
     this.timeout(5000)
 
-    const videoAttributes = {}
+    const videoAttributes = {
+      name: 'super user video'
+    }
     await uploadVideo(server.url, accessTokenUser, videoAttributes)
   })
 
+  it('Should be able to list my videos', async function () {
+    const res = await getMyVideos(server.url, accessTokenUser, 0, 5)
+    expect(res.body.total).to.equal(1)
+
+    const videos = res.body.data
+    expect(videos).to.have.lengthOf(1)
+
+    expect(videos[0].name).to.equal('super user video')
+  })
+
   it('Should list all the users', async function () {
     const res = await getUsersList(server.url)
     const result = res.body
diff --git a/server/tests/api/video-privacy.ts b/server/tests/api/video-privacy.ts
new file mode 100644
index 000000000..beac1613e
--- /dev/null
+++ b/server/tests/api/video-privacy.ts
@@ -0,0 +1,158 @@
+/* tslint:disable:no-unused-expression */
+
+import 'mocha'
+import * as chai from 'chai'
+const expect = chai.expect
+
+import {
+  ServerInfo,
+  flushTests,
+  uploadVideo,
+  makeFriends,
+  getVideosList,
+  wait,
+  setAccessTokensToServers,
+  flushAndRunMultipleServers,
+  killallServers
+} from '../utils'
+import { VideoPrivacy } from '../../../shared/models/videos/video-privacy.enum'
+import { getMyVideos, getVideo, getVideoWithToken, updateVideo } from '../utils/videos'
+import { createUser } from '../utils/users'
+import { getUserAccessToken } from '../utils/login'
+
+describe('Test video privacy', function () {
+  let servers: ServerInfo[] = []
+  let privateVideoId
+  let privateVideoUUID
+  let unlistedVideoUUID
+
+  before(async function () {
+    this.timeout(120000)
+
+    // Run servers
+    servers = await flushAndRunMultipleServers(2)
+
+    // Get the access tokens
+    await setAccessTokensToServers(servers)
+
+    // Pod 1 makes friend with pod 2
+    await makeFriends(servers[0].url, servers[0].accessToken)
+  })
+
+  it('Should upload a private video on pod 1', async function () {
+    this.timeout(15000)
+
+    const attributes = {
+      privacy: VideoPrivacy.PRIVATE
+    }
+    await uploadVideo(servers[0].url, servers[0].accessToken, attributes)
+
+    await wait(11000)
+  })
+
+  it('Should not have this private video on pod 2', async function () {
+    const res = await getVideosList(servers[1].url)
+
+    expect(res.body.total).to.equal(0)
+    expect(res.body.data).to.have.lengthOf(0)
+  })
+
+  it('Should list my (private) videos', async function () {
+    const res = await getMyVideos(servers[0].url, servers[0].accessToken, 0, 1)
+
+    expect(res.body.total).to.equal(1)
+    expect(res.body.data).to.have.lengthOf(1)
+
+    privateVideoId = res.body.data[0].id
+    privateVideoUUID = res.body.data[0].uuid
+  })
+
+  it('Should not be able to watch this video with non authenticated user', async function () {
+    await getVideo(servers[0].url, privateVideoUUID, 401)
+  })
+
+  it('Should not be able to watch this private video with another user', async function () {
+    const user = {
+      username: 'hello',
+      password: 'super password'
+    }
+    await createUser(servers[0].url, servers[0].accessToken, user.username, user.password)
+
+    const token = await getUserAccessToken(servers[0], user)
+    await getVideoWithToken(servers[0].url, token, privateVideoUUID, 403)
+  })
+
+  it('Should be able to watch this video with the correct user', async function () {
+    await getVideoWithToken(servers[0].url, servers[0].accessToken, privateVideoUUID)
+  })
+
+  it('Should upload a unlisted video on pod 2', async function () {
+    this.timeout(30000)
+
+    const attributes = {
+      name: 'unlisted video',
+      privacy: VideoPrivacy.UNLISTED
+    }
+    await uploadVideo(servers[1].url, servers[1].accessToken, attributes)
+
+    await wait(22000)
+  })
+
+  it('Should not have this unlisted video listed on pod 1 and 2', async function () {
+    for (const server of servers) {
+      const res = await getVideosList(server.url)
+
+      expect(res.body.total).to.equal(0)
+      expect(res.body.data).to.have.lengthOf(0)
+    }
+  })
+
+  it('Should list my (unlisted) videos', async function () {
+    const res = await getMyVideos(servers[1].url, servers[1].accessToken, 0, 1)
+
+    expect(res.body.total).to.equal(1)
+    expect(res.body.data).to.have.lengthOf(1)
+
+    unlistedVideoUUID = res.body.data[0].uuid
+  })
+
+  it('Should be able to get this unlisted video', async function () {
+    for (const server of servers) {
+      const res = await getVideo(server.url, unlistedVideoUUID)
+
+      expect(res.body.name).to.equal('unlisted video')
+    }
+  })
+
+  it('Should update the private video to public on pod 1', async function () {
+    this.timeout(15000)
+
+    const attribute = {
+      name: 'super video public',
+      privacy: VideoPrivacy.PUBLIC
+    }
+
+    await updateVideo(servers[0].url, servers[0].accessToken, privateVideoId, attribute)
+
+    await wait(11000)
+  })
+
+  it('Should not have this new unlisted video listed on pod 1 and 2', async function () {
+    for (const server of servers) {
+      const res = await getVideosList(server.url)
+
+      expect(res.body.total).to.equal(1)
+      expect(res.body.data).to.have.lengthOf(1)
+      expect(res.body.data[0].name).to.equal('super video public')
+    }
+  })
+
+  after(async function () {
+    killallServers(servers)
+
+    // Keep the logs if the test failed
+    if (this['ok']) {
+      await flushTests()
+    }
+  })
+})
diff --git a/server/tests/utils/videos.ts b/server/tests/utils/videos.ts
index 2a5d00255..d4d5faf0a 100644
--- a/server/tests/utils/videos.ts
+++ b/server/tests/utils/videos.ts
@@ -7,6 +7,7 @@ import { makeGetRequest } from './requests'
 import { readFilePromise } from './miscs'
 import { ServerInfo } from './servers'
 import { getMyUserInformation } from './users'
+import { VideoPrivacy } from '../../../shared'
 
 type VideoAttributes = {
   name?: string
@@ -17,6 +18,7 @@ type VideoAttributes = {
   description?: string
   tags?: string[]
   channelId?: number
+  privacy?: VideoPrivacy
   fixture?: string
 }
 
@@ -38,6 +40,12 @@ function getVideoLanguages (url: string) {
   return makeGetRequest(url, path)
 }
 
+function getVideoPrivacies (url: string) {
+  const path = '/api/v1/videos/privacies'
+
+  return makeGetRequest(url, path)
+}
+
 function getAllVideosListBy (url: string) {
   const path = '/api/v1/videos'
 
@@ -51,14 +59,23 @@ function getAllVideosListBy (url: string) {
           .expect('Content-Type', /json/)
 }
 
-function getVideo (url: string, id: number | string) {
+function getVideo (url: string, id: number | string, expectedStatus = 200) {
   const path = '/api/v1/videos/' + id
 
   return request(url)
           .get(path)
           .set('Accept', 'application/json')
-          .expect(200)
-          .expect('Content-Type', /json/)
+          .expect(expectedStatus)
+}
+
+function getVideoWithToken (url: string, token: string, id: number | string, expectedStatus = 200) {
+  const path = '/api/v1/videos/' + id
+
+  return request(url)
+    .get(path)
+    .set('Authorization', 'Bearer ' + token)
+    .set('Accept', 'application/json')
+    .expect(expectedStatus)
 }
 
 function getVideoDescription (url: string, descriptionPath: string) {
@@ -80,6 +97,22 @@ function getVideosList (url: string) {
           .expect('Content-Type', /json/)
 }
 
+function getMyVideos (url: string, accessToken: string, start: number, count: number, sort?: string) {
+  const path = '/api/v1/users/me/videos'
+
+  const req = request(url)
+    .get(path)
+    .query({ start: start })
+    .query({ count: count })
+
+  if (sort) req.query({ sort })
+
+  return req.set('Accept', 'application/json')
+    .set('Authorization', 'Bearer ' + accessToken)
+    .expect(200)
+    .expect('Content-Type', /json/)
+}
+
 function getVideosListPagination (url: string, start: number, count: number, sort?: string) {
   const path = '/api/v1/videos'
 
@@ -191,6 +224,7 @@ async function uploadVideo (url: string, accessToken: string, videoAttributesArg
     nsfw: true,
     description: 'my super description',
     tags: [ 'tag' ],
+    privacy: VideoPrivacy.PUBLIC,
     fixture: 'video_short.webm'
   }
   attributes = Object.assign(attributes, videoAttributesArg)
@@ -204,6 +238,7 @@ async function uploadVideo (url: string, accessToken: string, videoAttributesArg
               .field('licence', attributes.licence.toString())
               .field('nsfw', JSON.stringify(attributes.nsfw))
               .field('description', attributes.description)
+              .field('privacy', attributes.privacy.toString())
               .field('channelId', attributes.channelId)
 
   if (attributes.language !== undefined) {
@@ -236,6 +271,7 @@ function updateVideo (url: string, accessToken: string, id: number, attributes:
   if (attributes.nsfw) body['nsfw'] = attributes.nsfw
   if (attributes.description) body['description'] = attributes.description
   if (attributes.tags) body['tags'] = attributes.tags
+  if (attributes.privacy) body['privacy'] = attributes.privacy
 
   return request(url)
           .put(path)
@@ -274,9 +310,12 @@ export {
   getVideoDescription,
   getVideoCategories,
   getVideoLicences,
+  getVideoPrivacies,
   getVideoLanguages,
   getAllVideosListBy,
+  getMyVideos,
   getVideo,
+  getVideoWithToken,
   getVideosList,
   getVideosListPagination,
   getVideosListSort,