aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-01-06 13:27:29 +0100
committerChocobozzz <me@florianbigard.com>2022-01-06 13:27:29 +0100
commit795212f7acc690c88c86d0fab8772f6564d59cb8 (patch)
tree3a0203fc1957fd8cf8876774051137a0b04236fc
parent7b54a81cccf6b4c12269e9d6897d608b1a99537a (diff)
downloadPeerTube-795212f7acc690c88c86d0fab8772f6564d59cb8.tar.gz
PeerTube-795212f7acc690c88c86d0fab8772f6564d59cb8.tar.zst
PeerTube-795212f7acc690c88c86d0fab8772f6564d59cb8.zip
Prevent caption listing of private videos
-rw-r--r--server/controllers/api/videos/captions.ts2
-rw-r--r--server/controllers/api/videos/files.ts4
-rw-r--r--server/middlewares/validators/shared/videos.ts33
-rw-r--r--server/middlewares/validators/videos/video-captions.ts22
-rw-r--r--server/middlewares/validators/videos/videos.ts19
-rw-r--r--server/tests/api/check-params/video-captions.ts28
6 files changed, 86 insertions, 22 deletions
diff --git a/server/controllers/api/videos/captions.ts b/server/controllers/api/videos/captions.ts
index 2d2213327..aa7259ee9 100644
--- a/server/controllers/api/videos/captions.ts
+++ b/server/controllers/api/videos/captions.ts
@@ -48,7 +48,7 @@ export {
48// --------------------------------------------------------------------------- 48// ---------------------------------------------------------------------------
49 49
50async function listVideoCaptions (req: express.Request, res: express.Response) { 50async function listVideoCaptions (req: express.Request, res: express.Response) {
51 const data = await VideoCaptionModel.listVideoCaptions(res.locals.videoId.id) 51 const data = await VideoCaptionModel.listVideoCaptions(res.locals.onlyVideo.id)
52 52
53 return res.json(getFormattedObjects(data, data.length)) 53 return res.json(getFormattedObjects(data, data.length))
54} 54}
diff --git a/server/controllers/api/videos/files.ts b/server/controllers/api/videos/files.ts
index a8b32411d..0fbda280e 100644
--- a/server/controllers/api/videos/files.ts
+++ b/server/controllers/api/videos/files.ts
@@ -10,13 +10,15 @@ import {
10 ensureUserHasRight, 10 ensureUserHasRight,
11 videoFileMetadataGetValidator, 11 videoFileMetadataGetValidator,
12 videoFilesDeleteHLSValidator, 12 videoFilesDeleteHLSValidator,
13 videoFilesDeleteWebTorrentValidator 13 videoFilesDeleteWebTorrentValidator,
14 videosGetValidator
14} from '../../../middlewares' 15} from '../../../middlewares'
15 16
16const lTags = loggerTagsFactory('api', 'video') 17const lTags = loggerTagsFactory('api', 'video')
17const filesRouter = express.Router() 18const filesRouter = express.Router()
18 19
19filesRouter.get('/:id/metadata/:videoFileId', 20filesRouter.get('/:id/metadata/:videoFileId',
21 asyncMiddleware(videosGetValidator),
20 asyncMiddleware(videoFileMetadataGetValidator), 22 asyncMiddleware(videoFileMetadataGetValidator),
21 asyncMiddleware(getVideoFileMetadata) 23 asyncMiddleware(getVideoFileMetadata)
22) 24)
diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts
index 71b81654f..fc978b63a 100644
--- a/server/middlewares/validators/shared/videos.ts
+++ b/server/middlewares/validators/shared/videos.ts
@@ -1,16 +1,20 @@
1import { Response } from 'express' 1import { Request, Response } from 'express'
2import { loadVideo, VideoLoadType } from '@server/lib/model-loaders' 2import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
3import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'
4import { VideoModel } from '@server/models/video/video'
3import { VideoChannelModel } from '@server/models/video/video-channel' 5import { VideoChannelModel } from '@server/models/video/video-channel'
4import { VideoFileModel } from '@server/models/video/video-file' 6import { VideoFileModel } from '@server/models/video/video-file'
5import { 7import {
6 MUser, 8 MUser,
7 MUserAccountId, 9 MUserAccountId,
10 MVideo,
8 MVideoAccountLight, 11 MVideoAccountLight,
9 MVideoFormattableDetails, 12 MVideoFormattableDetails,
10 MVideoFullLight, 13 MVideoFullLight,
11 MVideoId, 14 MVideoId,
12 MVideoImmutable, 15 MVideoImmutable,
13 MVideoThumbnail 16 MVideoThumbnail,
17 MVideoWithRights
14} from '@server/types/models' 18} from '@server/types/models'
15import { HttpStatusCode, UserRight } from '@shared/models' 19import { HttpStatusCode, UserRight } from '@shared/models'
16 20
@@ -89,6 +93,27 @@ async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAcc
89 return true 93 return true
90} 94}
91 95
96async function checkCanSeeVideoIfPrivate (req: Request, res: Response, video: MVideo, authenticateInQuery = false) {
97 if (!video.requiresAuth()) return true
98
99 const videoWithRights = await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id)
100
101 return checkCanSeePrivateVideo(req, res, videoWithRights, authenticateInQuery)
102}
103
104async function checkCanSeePrivateVideo (req: Request, res: Response, video: MVideoWithRights, authenticateInQuery = false) {
105 await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
106
107 const user = res.locals.oauth ? res.locals.oauth.token.User : null
108
109 // Only the owner or a user that have blocklist rights can see the video
110 if (!user || !user.canGetVideo(video)) {
111 return false
112 }
113
114 return true
115}
116
92function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) { 117function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
93 // Retrieve the user who did the request 118 // Retrieve the user who did the request
94 if (onlyOwned && video.isOwned() === false) { 119 if (onlyOwned && video.isOwned() === false) {
@@ -120,5 +145,7 @@ export {
120 doesVideoChannelOfAccountExist, 145 doesVideoChannelOfAccountExist,
121 doesVideoExist, 146 doesVideoExist,
122 doesVideoFileOfVideoExist, 147 doesVideoFileOfVideoExist,
123 checkUserCanManageVideo 148 checkUserCanManageVideo,
149 checkCanSeeVideoIfPrivate,
150 checkCanSeePrivateVideo
124} 151}
diff --git a/server/middlewares/validators/videos/video-captions.ts b/server/middlewares/validators/videos/video-captions.ts
index 38321ccf9..4fc4c8ec5 100644
--- a/server/middlewares/validators/videos/video-captions.ts
+++ b/server/middlewares/validators/videos/video-captions.ts
@@ -1,11 +1,18 @@
1import express from 'express' 1import express from 'express'
2import { body, param } from 'express-validator' 2import { body, param } from 'express-validator'
3import { UserRight } from '../../../../shared' 3import { HttpStatusCode, UserRight } from '../../../../shared'
4import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions' 4import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions'
5import { cleanUpReqFiles } from '../../../helpers/express-utils' 5import { cleanUpReqFiles } from '../../../helpers/express-utils'
6import { logger } from '../../../helpers/logger' 6import { logger } from '../../../helpers/logger'
7import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants' 7import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants'
8import { areValidationErrors, checkUserCanManageVideo, doesVideoCaptionExist, doesVideoExist, isValidVideoIdParam } from '../shared' 8import {
9 areValidationErrors,
10 checkCanSeeVideoIfPrivate,
11 checkUserCanManageVideo,
12 doesVideoCaptionExist,
13 doesVideoExist,
14 isValidVideoIdParam
15} from '../shared'
9 16
10const addVideoCaptionValidator = [ 17const addVideoCaptionValidator = [
11 isValidVideoIdParam('videoId'), 18 isValidVideoIdParam('videoId'),
@@ -64,7 +71,16 @@ const listVideoCaptionsValidator = [
64 logger.debug('Checking listVideoCaptions parameters', { parameters: req.params }) 71 logger.debug('Checking listVideoCaptions parameters', { parameters: req.params })
65 72
66 if (areValidationErrors(req, res)) return 73 if (areValidationErrors(req, res)) return
67 if (!await doesVideoExist(req.params.videoId, res, 'id')) return 74 if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
75
76 const video = res.locals.onlyVideo
77
78 if (!await checkCanSeeVideoIfPrivate(req, res, video)) {
79 return res.fail({
80 status: HttpStatusCode.FORBIDDEN_403,
81 message: 'Cannot list captions of private/internal/blocklisted video'
82 })
83 }
68 84
69 return next() 85 return next()
70 } 86 }
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index 3ebdbc33d..782f495e8 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -51,9 +51,9 @@ import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants'
51import { isLocalVideoAccepted } from '../../../lib/moderation' 51import { isLocalVideoAccepted } from '../../../lib/moderation'
52import { Hooks } from '../../../lib/plugins/hooks' 52import { Hooks } from '../../../lib/plugins/hooks'
53import { VideoModel } from '../../../models/video/video' 53import { VideoModel } from '../../../models/video/video'
54import { authenticatePromiseIfNeeded } from '../../auth'
55import { 54import {
56 areValidationErrors, 55 areValidationErrors,
56 checkCanSeePrivateVideo,
57 checkUserCanManageVideo, 57 checkUserCanManageVideo,
58 doesVideoChannelOfAccountExist, 58 doesVideoChannelOfAccountExist,
59 doesVideoExist, 59 doesVideoExist,
@@ -317,19 +317,12 @@ const videosCustomGetValidator = (
317 317
318 // Video private or blacklisted 318 // Video private or blacklisted
319 if (video.requiresAuth()) { 319 if (video.requiresAuth()) {
320 await authenticatePromiseIfNeeded(req, res, authenticateInQuery) 320 if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) return next()
321 321
322 const user = res.locals.oauth ? res.locals.oauth.token.User : null 322 return res.fail({
323 323 status: HttpStatusCode.FORBIDDEN_403,
324 // Only the owner or a user that have blocklist rights can see the video 324 message: 'Cannot get this private/internal or blocklisted video'
325 if (!user || !user.canGetVideo(video)) { 325 })
326 return res.fail({
327 status: HttpStatusCode.FORBIDDEN_403,
328 message: 'Cannot get this private/internal or blocklisted video'
329 })
330 }
331
332 return next()
333 } 326 }
334 327
335 // Video is public, anyone can access it 328 // Video is public, anyone can access it
diff --git a/server/tests/api/check-params/video-captions.ts b/server/tests/api/check-params/video-captions.ts
index 90f429314..84c6c1355 100644
--- a/server/tests/api/check-params/video-captions.ts
+++ b/server/tests/api/check-params/video-captions.ts
@@ -11,7 +11,7 @@ import {
11 PeerTubeServer, 11 PeerTubeServer,
12 setAccessTokensToServers 12 setAccessTokensToServers
13} from '@shared/extra-utils' 13} from '@shared/extra-utils'
14import { HttpStatusCode, VideoCreateResult } from '@shared/models' 14import { HttpStatusCode, VideoCreateResult, VideoPrivacy } from '@shared/models'
15 15
16describe('Test video captions API validator', function () { 16describe('Test video captions API validator', function () {
17 const path = '/api/v1/videos/' 17 const path = '/api/v1/videos/'
@@ -19,6 +19,7 @@ describe('Test video captions API validator', function () {
19 let server: PeerTubeServer 19 let server: PeerTubeServer
20 let userAccessToken: string 20 let userAccessToken: string
21 let video: VideoCreateResult 21 let video: VideoCreateResult
22 let privateVideo: VideoCreateResult
22 23
23 // --------------------------------------------------------------- 24 // ---------------------------------------------------------------
24 25
@@ -30,6 +31,7 @@ describe('Test video captions API validator', function () {
30 await setAccessTokensToServers([ server ]) 31 await setAccessTokensToServers([ server ])
31 32
32 video = await server.videos.upload() 33 video = await server.videos.upload()
34 privateVideo = await server.videos.upload({ attributes: { privacy: VideoPrivacy.PRIVATE } })
33 35
34 { 36 {
35 const user = { 37 const user = {
@@ -204,8 +206,32 @@ describe('Test video captions API validator', function () {
204 }) 206 })
205 }) 207 })
206 208
209 it('Should fail with a private video without token', async function () {
210 await makeGetRequest({
211 url: server.url,
212 path: path + privateVideo.shortUUID + '/captions',
213 expectedStatus: HttpStatusCode.UNAUTHORIZED_401
214 })
215 })
216
217 it('Should fail with another user token', async function () {
218 await makeGetRequest({
219 url: server.url,
220 token: userAccessToken,
221 path: path + privateVideo.shortUUID + '/captions',
222 expectedStatus: HttpStatusCode.FORBIDDEN_403
223 })
224 })
225
207 it('Should success with the correct parameters', async function () { 226 it('Should success with the correct parameters', async function () {
208 await makeGetRequest({ url: server.url, path: path + video.shortUUID + '/captions', expectedStatus: HttpStatusCode.OK_200 }) 227 await makeGetRequest({ url: server.url, path: path + video.shortUUID + '/captions', expectedStatus: HttpStatusCode.OK_200 })
228
229 await makeGetRequest({
230 url: server.url,
231 path: path + privateVideo.shortUUID + '/captions',
232 token: server.accessToken,
233 expectedStatus: HttpStatusCode.OK_200
234 })
209 }) 235 })
210 }) 236 })
211 237