diff options
author | Chocobozzz <me@florianbigard.com> | 2022-01-06 13:27:29 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-01-06 13:27:29 +0100 |
commit | 795212f7acc690c88c86d0fab8772f6564d59cb8 (patch) | |
tree | 3a0203fc1957fd8cf8876774051137a0b04236fc | |
parent | 7b54a81cccf6b4c12269e9d6897d608b1a99537a (diff) | |
download | PeerTube-795212f7acc690c88c86d0fab8772f6564d59cb8.tar.gz PeerTube-795212f7acc690c88c86d0fab8772f6564d59cb8.tar.zst PeerTube-795212f7acc690c88c86d0fab8772f6564d59cb8.zip |
Prevent caption listing of private videos
-rw-r--r-- | server/controllers/api/videos/captions.ts | 2 | ||||
-rw-r--r-- | server/controllers/api/videos/files.ts | 4 | ||||
-rw-r--r-- | server/middlewares/validators/shared/videos.ts | 33 | ||||
-rw-r--r-- | server/middlewares/validators/videos/video-captions.ts | 22 | ||||
-rw-r--r-- | server/middlewares/validators/videos/videos.ts | 19 | ||||
-rw-r--r-- | server/tests/api/check-params/video-captions.ts | 28 |
6 files changed, 86 insertions, 22 deletions
diff --git a/server/controllers/api/videos/captions.ts b/server/controllers/api/videos/captions.ts index 2d2213327..aa7259ee9 100644 --- a/server/controllers/api/videos/captions.ts +++ b/server/controllers/api/videos/captions.ts | |||
@@ -48,7 +48,7 @@ export { | |||
48 | // --------------------------------------------------------------------------- | 48 | // --------------------------------------------------------------------------- |
49 | 49 | ||
50 | async function listVideoCaptions (req: express.Request, res: express.Response) { | 50 | async function listVideoCaptions (req: express.Request, res: express.Response) { |
51 | const data = await VideoCaptionModel.listVideoCaptions(res.locals.videoId.id) | 51 | const data = await VideoCaptionModel.listVideoCaptions(res.locals.onlyVideo.id) |
52 | 52 | ||
53 | return res.json(getFormattedObjects(data, data.length)) | 53 | return res.json(getFormattedObjects(data, data.length)) |
54 | } | 54 | } |
diff --git a/server/controllers/api/videos/files.ts b/server/controllers/api/videos/files.ts index a8b32411d..0fbda280e 100644 --- a/server/controllers/api/videos/files.ts +++ b/server/controllers/api/videos/files.ts | |||
@@ -10,13 +10,15 @@ import { | |||
10 | ensureUserHasRight, | 10 | ensureUserHasRight, |
11 | videoFileMetadataGetValidator, | 11 | videoFileMetadataGetValidator, |
12 | videoFilesDeleteHLSValidator, | 12 | videoFilesDeleteHLSValidator, |
13 | videoFilesDeleteWebTorrentValidator | 13 | videoFilesDeleteWebTorrentValidator, |
14 | videosGetValidator | ||
14 | } from '../../../middlewares' | 15 | } from '../../../middlewares' |
15 | 16 | ||
16 | const lTags = loggerTagsFactory('api', 'video') | 17 | const lTags = loggerTagsFactory('api', 'video') |
17 | const filesRouter = express.Router() | 18 | const filesRouter = express.Router() |
18 | 19 | ||
19 | filesRouter.get('/:id/metadata/:videoFileId', | 20 | filesRouter.get('/:id/metadata/:videoFileId', |
21 | asyncMiddleware(videosGetValidator), | ||
20 | asyncMiddleware(videoFileMetadataGetValidator), | 22 | asyncMiddleware(videoFileMetadataGetValidator), |
21 | asyncMiddleware(getVideoFileMetadata) | 23 | asyncMiddleware(getVideoFileMetadata) |
22 | ) | 24 | ) |
diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts index 71b81654f..fc978b63a 100644 --- a/server/middlewares/validators/shared/videos.ts +++ b/server/middlewares/validators/shared/videos.ts | |||
@@ -1,16 +1,20 @@ | |||
1 | import { Response } from 'express' | 1 | import { Request, Response } from 'express' |
2 | import { loadVideo, VideoLoadType } from '@server/lib/model-loaders' | 2 | import { loadVideo, VideoLoadType } from '@server/lib/model-loaders' |
3 | import { authenticatePromiseIfNeeded } from '@server/middlewares/auth' | ||
4 | import { VideoModel } from '@server/models/video/video' | ||
3 | import { VideoChannelModel } from '@server/models/video/video-channel' | 5 | import { VideoChannelModel } from '@server/models/video/video-channel' |
4 | import { VideoFileModel } from '@server/models/video/video-file' | 6 | import { VideoFileModel } from '@server/models/video/video-file' |
5 | import { | 7 | import { |
6 | MUser, | 8 | MUser, |
7 | MUserAccountId, | 9 | MUserAccountId, |
10 | MVideo, | ||
8 | MVideoAccountLight, | 11 | MVideoAccountLight, |
9 | MVideoFormattableDetails, | 12 | MVideoFormattableDetails, |
10 | MVideoFullLight, | 13 | MVideoFullLight, |
11 | MVideoId, | 14 | MVideoId, |
12 | MVideoImmutable, | 15 | MVideoImmutable, |
13 | MVideoThumbnail | 16 | MVideoThumbnail, |
17 | MVideoWithRights | ||
14 | } from '@server/types/models' | 18 | } from '@server/types/models' |
15 | import { HttpStatusCode, UserRight } from '@shared/models' | 19 | import { HttpStatusCode, UserRight } from '@shared/models' |
16 | 20 | ||
@@ -89,6 +93,27 @@ async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAcc | |||
89 | return true | 93 | return true |
90 | } | 94 | } |
91 | 95 | ||
96 | async function checkCanSeeVideoIfPrivate (req: Request, res: Response, video: MVideo, authenticateInQuery = false) { | ||
97 | if (!video.requiresAuth()) return true | ||
98 | |||
99 | const videoWithRights = await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id) | ||
100 | |||
101 | return checkCanSeePrivateVideo(req, res, videoWithRights, authenticateInQuery) | ||
102 | } | ||
103 | |||
104 | async function checkCanSeePrivateVideo (req: Request, res: Response, video: MVideoWithRights, authenticateInQuery = false) { | ||
105 | await authenticatePromiseIfNeeded(req, res, authenticateInQuery) | ||
106 | |||
107 | const user = res.locals.oauth ? res.locals.oauth.token.User : null | ||
108 | |||
109 | // Only the owner or a user that have blocklist rights can see the video | ||
110 | if (!user || !user.canGetVideo(video)) { | ||
111 | return false | ||
112 | } | ||
113 | |||
114 | return true | ||
115 | } | ||
116 | |||
92 | function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) { | 117 | function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) { |
93 | // Retrieve the user who did the request | 118 | // Retrieve the user who did the request |
94 | if (onlyOwned && video.isOwned() === false) { | 119 | if (onlyOwned && video.isOwned() === false) { |
@@ -120,5 +145,7 @@ export { | |||
120 | doesVideoChannelOfAccountExist, | 145 | doesVideoChannelOfAccountExist, |
121 | doesVideoExist, | 146 | doesVideoExist, |
122 | doesVideoFileOfVideoExist, | 147 | doesVideoFileOfVideoExist, |
123 | checkUserCanManageVideo | 148 | checkUserCanManageVideo, |
149 | checkCanSeeVideoIfPrivate, | ||
150 | checkCanSeePrivateVideo | ||
124 | } | 151 | } |
diff --git a/server/middlewares/validators/videos/video-captions.ts b/server/middlewares/validators/videos/video-captions.ts index 38321ccf9..4fc4c8ec5 100644 --- a/server/middlewares/validators/videos/video-captions.ts +++ b/server/middlewares/validators/videos/video-captions.ts | |||
@@ -1,11 +1,18 @@ | |||
1 | import express from 'express' | 1 | import express from 'express' |
2 | import { body, param } from 'express-validator' | 2 | import { body, param } from 'express-validator' |
3 | import { UserRight } from '../../../../shared' | 3 | import { HttpStatusCode, UserRight } from '../../../../shared' |
4 | import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions' | 4 | import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions' |
5 | import { cleanUpReqFiles } from '../../../helpers/express-utils' | 5 | import { cleanUpReqFiles } from '../../../helpers/express-utils' |
6 | import { logger } from '../../../helpers/logger' | 6 | import { logger } from '../../../helpers/logger' |
7 | import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants' | 7 | import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants' |
8 | import { areValidationErrors, checkUserCanManageVideo, doesVideoCaptionExist, doesVideoExist, isValidVideoIdParam } from '../shared' | 8 | import { |
9 | areValidationErrors, | ||
10 | checkCanSeeVideoIfPrivate, | ||
11 | checkUserCanManageVideo, | ||
12 | doesVideoCaptionExist, | ||
13 | doesVideoExist, | ||
14 | isValidVideoIdParam | ||
15 | } from '../shared' | ||
9 | 16 | ||
10 | const addVideoCaptionValidator = [ | 17 | const addVideoCaptionValidator = [ |
11 | isValidVideoIdParam('videoId'), | 18 | isValidVideoIdParam('videoId'), |
@@ -64,7 +71,16 @@ const listVideoCaptionsValidator = [ | |||
64 | logger.debug('Checking listVideoCaptions parameters', { parameters: req.params }) | 71 | logger.debug('Checking listVideoCaptions parameters', { parameters: req.params }) |
65 | 72 | ||
66 | if (areValidationErrors(req, res)) return | 73 | if (areValidationErrors(req, res)) return |
67 | if (!await doesVideoExist(req.params.videoId, res, 'id')) return | 74 | if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return |
75 | |||
76 | const video = res.locals.onlyVideo | ||
77 | |||
78 | if (!await checkCanSeeVideoIfPrivate(req, res, video)) { | ||
79 | return res.fail({ | ||
80 | status: HttpStatusCode.FORBIDDEN_403, | ||
81 | message: 'Cannot list captions of private/internal/blocklisted video' | ||
82 | }) | ||
83 | } | ||
68 | 84 | ||
69 | return next() | 85 | return next() |
70 | } | 86 | } |
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts index 3ebdbc33d..782f495e8 100644 --- a/server/middlewares/validators/videos/videos.ts +++ b/server/middlewares/validators/videos/videos.ts | |||
@@ -51,9 +51,9 @@ import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants' | |||
51 | import { isLocalVideoAccepted } from '../../../lib/moderation' | 51 | import { isLocalVideoAccepted } from '../../../lib/moderation' |
52 | import { Hooks } from '../../../lib/plugins/hooks' | 52 | import { Hooks } from '../../../lib/plugins/hooks' |
53 | import { VideoModel } from '../../../models/video/video' | 53 | import { VideoModel } from '../../../models/video/video' |
54 | import { authenticatePromiseIfNeeded } from '../../auth' | ||
55 | import { | 54 | import { |
56 | areValidationErrors, | 55 | areValidationErrors, |
56 | checkCanSeePrivateVideo, | ||
57 | checkUserCanManageVideo, | 57 | checkUserCanManageVideo, |
58 | doesVideoChannelOfAccountExist, | 58 | doesVideoChannelOfAccountExist, |
59 | doesVideoExist, | 59 | doesVideoExist, |
@@ -317,19 +317,12 @@ const videosCustomGetValidator = ( | |||
317 | 317 | ||
318 | // Video private or blacklisted | 318 | // Video private or blacklisted |
319 | if (video.requiresAuth()) { | 319 | if (video.requiresAuth()) { |
320 | await authenticatePromiseIfNeeded(req, res, authenticateInQuery) | 320 | if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) return next() |
321 | 321 | ||
322 | const user = res.locals.oauth ? res.locals.oauth.token.User : null | 322 | return res.fail({ |
323 | 323 | status: HttpStatusCode.FORBIDDEN_403, | |
324 | // Only the owner or a user that have blocklist rights can see the video | 324 | message: 'Cannot get this private/internal or blocklisted video' |
325 | if (!user || !user.canGetVideo(video)) { | 325 | }) |
326 | return res.fail({ | ||
327 | status: HttpStatusCode.FORBIDDEN_403, | ||
328 | message: 'Cannot get this private/internal or blocklisted video' | ||
329 | }) | ||
330 | } | ||
331 | |||
332 | return next() | ||
333 | } | 326 | } |
334 | 327 | ||
335 | // Video is public, anyone can access it | 328 | // Video is public, anyone can access it |
diff --git a/server/tests/api/check-params/video-captions.ts b/server/tests/api/check-params/video-captions.ts index 90f429314..84c6c1355 100644 --- a/server/tests/api/check-params/video-captions.ts +++ b/server/tests/api/check-params/video-captions.ts | |||
@@ -11,7 +11,7 @@ import { | |||
11 | PeerTubeServer, | 11 | PeerTubeServer, |
12 | setAccessTokensToServers | 12 | setAccessTokensToServers |
13 | } from '@shared/extra-utils' | 13 | } from '@shared/extra-utils' |
14 | import { HttpStatusCode, VideoCreateResult } from '@shared/models' | 14 | import { HttpStatusCode, VideoCreateResult, VideoPrivacy } from '@shared/models' |
15 | 15 | ||
16 | describe('Test video captions API validator', function () { | 16 | describe('Test video captions API validator', function () { |
17 | const path = '/api/v1/videos/' | 17 | const path = '/api/v1/videos/' |
@@ -19,6 +19,7 @@ describe('Test video captions API validator', function () { | |||
19 | let server: PeerTubeServer | 19 | let server: PeerTubeServer |
20 | let userAccessToken: string | 20 | let userAccessToken: string |
21 | let video: VideoCreateResult | 21 | let video: VideoCreateResult |
22 | let privateVideo: VideoCreateResult | ||
22 | 23 | ||
23 | // --------------------------------------------------------------- | 24 | // --------------------------------------------------------------- |
24 | 25 | ||
@@ -30,6 +31,7 @@ describe('Test video captions API validator', function () { | |||
30 | await setAccessTokensToServers([ server ]) | 31 | await setAccessTokensToServers([ server ]) |
31 | 32 | ||
32 | video = await server.videos.upload() | 33 | video = await server.videos.upload() |
34 | privateVideo = await server.videos.upload({ attributes: { privacy: VideoPrivacy.PRIVATE } }) | ||
33 | 35 | ||
34 | { | 36 | { |
35 | const user = { | 37 | const user = { |
@@ -204,8 +206,32 @@ describe('Test video captions API validator', function () { | |||
204 | }) | 206 | }) |
205 | }) | 207 | }) |
206 | 208 | ||
209 | it('Should fail with a private video without token', async function () { | ||
210 | await makeGetRequest({ | ||
211 | url: server.url, | ||
212 | path: path + privateVideo.shortUUID + '/captions', | ||
213 | expectedStatus: HttpStatusCode.UNAUTHORIZED_401 | ||
214 | }) | ||
215 | }) | ||
216 | |||
217 | it('Should fail with another user token', async function () { | ||
218 | await makeGetRequest({ | ||
219 | url: server.url, | ||
220 | token: userAccessToken, | ||
221 | path: path + privateVideo.shortUUID + '/captions', | ||
222 | expectedStatus: HttpStatusCode.FORBIDDEN_403 | ||
223 | }) | ||
224 | }) | ||
225 | |||
207 | it('Should success with the correct parameters', async function () { | 226 | it('Should success with the correct parameters', async function () { |
208 | await makeGetRequest({ url: server.url, path: path + video.shortUUID + '/captions', expectedStatus: HttpStatusCode.OK_200 }) | 227 | await makeGetRequest({ url: server.url, path: path + video.shortUUID + '/captions', expectedStatus: HttpStatusCode.OK_200 }) |
228 | |||
229 | await makeGetRequest({ | ||
230 | url: server.url, | ||
231 | path: path + privateVideo.shortUUID + '/captions', | ||
232 | token: server.accessToken, | ||
233 | expectedStatus: HttpStatusCode.OK_200 | ||
234 | }) | ||
209 | }) | 235 | }) |
210 | }) | 236 | }) |
211 | 237 | ||