aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-06-22 14:03:50 +0200
committerChocobozzz <me@florianbigard.com>2022-06-22 14:03:50 +0200
commit2c2befaacaa7063df0d4557b71c187ee168a8eb6 (patch)
treeed31dba97ff754d6d20f32bf7eec10e580afa121
parentff9d43f62a4f4737c5bfe955883b48c5440f323a (diff)
downloadPeerTube-2c2befaacaa7063df0d4557b71c187ee168a8eb6.tar.gz
PeerTube-2c2befaacaa7063df0d4557b71c187ee168a8eb6.tar.zst
PeerTube-2c2befaacaa7063df0d4557b71c187ee168a8eb6.zip
Fix video right check
-rw-r--r--server/middlewares/auth.ts4
-rw-r--r--server/middlewares/validators/shared/videos.ts13
-rw-r--r--server/middlewares/validators/videos/video-playlists.ts4
-rw-r--r--server/tests/api/videos/video-privacy.ts2
4 files changed, 12 insertions, 11 deletions
diff --git a/server/middlewares/auth.ts b/server/middlewares/auth.ts
index c5424be97..ad3b24ab2 100644
--- a/server/middlewares/auth.ts
+++ b/server/middlewares/auth.ts
@@ -47,7 +47,7 @@ function authenticateSocket (socket: Socket, next: (err?: any) => void) {
47 .catch(err => logger.error('Cannot get access token.', { err })) 47 .catch(err => logger.error('Cannot get access token.', { err }))
48} 48}
49 49
50function authenticatePromiseIfNeeded (req: express.Request, res: express.Response, authenticateInQuery = false) { 50function authenticatePromise (req: express.Request, res: express.Response, authenticateInQuery = false) {
51 return new Promise<void>(resolve => { 51 return new Promise<void>(resolve => {
52 // Already authenticated? (or tried to) 52 // Already authenticated? (or tried to)
53 if (res.locals.oauth?.token.User) return resolve() 53 if (res.locals.oauth?.token.User) return resolve()
@@ -76,6 +76,6 @@ function optionalAuthenticate (req: express.Request, res: express.Response, next
76export { 76export {
77 authenticate, 77 authenticate,
78 authenticateSocket, 78 authenticateSocket,
79 authenticatePromiseIfNeeded, 79 authenticatePromise,
80 optionalAuthenticate 80 optionalAuthenticate
81} 81}
diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts
index 39aab6df7..2c2ae3811 100644
--- a/server/middlewares/validators/shared/videos.ts
+++ b/server/middlewares/validators/shared/videos.ts
@@ -2,7 +2,7 @@ import { Request, Response } from 'express'
2import { isUUIDValid } from '@server/helpers/custom-validators/misc' 2import { isUUIDValid } from '@server/helpers/custom-validators/misc'
3import { loadVideo, VideoLoadType } from '@server/lib/model-loaders' 3import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
4import { isAbleToUploadVideo } from '@server/lib/user' 4import { isAbleToUploadVideo } from '@server/lib/user'
5import { authenticatePromiseIfNeeded } from '@server/middlewares/auth' 5import { authenticatePromise } from '@server/middlewares/auth'
6import { VideoModel } from '@server/models/video/video' 6import { VideoModel } from '@server/models/video/video'
7import { VideoChannelModel } from '@server/models/video/video-channel' 7import { VideoChannelModel } from '@server/models/video/video-channel'
8import { VideoFileModel } from '@server/models/video/video-file' 8import { VideoFileModel } from '@server/models/video/video-file'
@@ -137,7 +137,7 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
137 return false 137 return false
138 } 138 }
139 139
140 await authenticatePromiseIfNeeded(req, res, authenticateInQuery) 140 await authenticatePromise(req, res, authenticateInQuery)
141 141
142 const user = res.locals.oauth?.token.User 142 const user = res.locals.oauth?.token.User
143 if (!user) return fail() 143 if (!user) return fail()
@@ -154,14 +154,15 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
154 } 154 }
155 155
156 const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id 156 const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id
157 if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) { 157
158 if (isOwnedByUser && user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true 158 if (videoWithRights.isBlacklisted()) {
159 if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true
159 160
160 return fail() 161 return fail()
161 } 162 }
162 163
163 if (videoWithRights.isBlacklisted()) { 164 if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) {
164 if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true 165 if (isOwnedByUser || user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true
165 166
166 return fail() 167 return fail()
167 } 168 }
diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts
index 241b9ed7b..d514ae0ad 100644
--- a/server/middlewares/validators/videos/video-playlists.ts
+++ b/server/middlewares/validators/videos/video-playlists.ts
@@ -33,7 +33,7 @@ import { logger } from '../../../helpers/logger'
33import { CONSTRAINTS_FIELDS } from '../../../initializers/constants' 33import { CONSTRAINTS_FIELDS } from '../../../initializers/constants'
34import { VideoPlaylistElementModel } from '../../../models/video/video-playlist-element' 34import { VideoPlaylistElementModel } from '../../../models/video/video-playlist-element'
35import { MVideoPlaylist } from '../../../types/models/video/video-playlist' 35import { MVideoPlaylist } from '../../../types/models/video/video-playlist'
36import { authenticatePromiseIfNeeded } from '../../auth' 36import { authenticatePromise } from '../../auth'
37import { 37import {
38 areValidationErrors, 38 areValidationErrors,
39 doesVideoChannelIdExist, 39 doesVideoChannelIdExist,
@@ -161,7 +161,7 @@ const videoPlaylistsGetValidator = (fetchType: VideoPlaylistFetchType) => {
161 } 161 }
162 162
163 if (videoPlaylist.privacy === VideoPlaylistPrivacy.PRIVATE) { 163 if (videoPlaylist.privacy === VideoPlaylistPrivacy.PRIVATE) {
164 await authenticatePromiseIfNeeded(req, res) 164 await authenticatePromise(req, res)
165 165
166 const user = res.locals.oauth ? res.locals.oauth.token.User : null 166 const user = res.locals.oauth ? res.locals.oauth.token.User : null
167 167
diff --git a/server/tests/api/videos/video-privacy.ts b/server/tests/api/videos/video-privacy.ts
index 3051a443d..1073aee8c 100644
--- a/server/tests/api/videos/video-privacy.ts
+++ b/server/tests/api/videos/video-privacy.ts
@@ -162,7 +162,7 @@ describe('Test video privacy', function () {
162 }) 162 })
163 163
164 it('Should not be able to get this unlisted video using its id', async function () { 164 it('Should not be able to get this unlisted video using its id', async function () {
165 await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.NOT_FOUND_404 }) 165 await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
166 }) 166 })
167 167
168 it('Should be able to get this unlisted video using its uuid/shortUUID', async function () { 168 it('Should be able to get this unlisted video using its uuid/shortUUID', async function () {