aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorChocobozzz <florian.bigard@gmail.com>2016-08-05 21:41:28 +0200
committerChocobozzz <florian.bigard@gmail.com>2016-08-05 21:41:28 +0200
commit58b2ba55a90f05f24661e664b1fb0a3486f037e8 (patch)
tree1f44b344423667280fca24661918cea8018195f7
parentf3391f9237269ed671c23fdbcc9d86dc52134fe5 (diff)
downloadPeerTube-58b2ba55a90f05f24661e664b1fb0a3486f037e8.tar.gz
PeerTube-58b2ba55a90f05f24661e664b1fb0a3486f037e8.tar.zst
PeerTube-58b2ba55a90f05f24661e664b1fb0a3486f037e8.zip
Server: do not allow a user to remove a video of another user
-rw-r--r--client/tsconfig.json2
-rw-r--r--server/middlewares/validators/videos.js1
-rw-r--r--server/tests/api/checkParams.js2
3 files changed, 3 insertions, 2 deletions
diff --git a/client/tsconfig.json b/client/tsconfig.json
index e2d61851e..b10231b7b 100644
--- a/client/tsconfig.json
+++ b/client/tsconfig.json
@@ -49,8 +49,6 @@
49 "src/app/shared/search/search.component.ts", 49 "src/app/shared/search/search.component.ts",
50 "src/app/shared/search/search.model.ts", 50 "src/app/shared/search/search.model.ts",
51 "src/app/shared/search/search.service.ts", 51 "src/app/shared/search/search.service.ts",
52 "src/app/shared/user/index.ts",
53 "src/app/shared/user/user.service.ts",
54 "src/app/videos/index.ts", 52 "src/app/videos/index.ts",
55 "src/app/videos/shared/index.ts", 53 "src/app/videos/shared/index.ts",
56 "src/app/videos/shared/loader/index.ts", 54 "src/app/videos/shared/loader/index.ts",
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 9d21ee16f..e51087d5a 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -77,6 +77,7 @@ function videosRemove (req, res, next) {
77 77
78 if (!video) return res.status(404).send('Video not found') 78 if (!video) return res.status(404).send('Video not found')
79 else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod') 79 else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod')
80 else if (video.author !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user')
80 81
81 next() 82 next()
82 }) 83 })
diff --git a/server/tests/api/checkParams.js b/server/tests/api/checkParams.js
index 8b49f5f36..e489df277 100644
--- a/server/tests/api/checkParams.js
+++ b/server/tests/api/checkParams.js
@@ -496,6 +496,8 @@ describe('Test parameters validator', function () {
496 .expect(404, done) 496 .expect(404, done)
497 }) 497 })
498 498
499 it('Should fail with a video of another user')
500
499 it('Should fail with a video of another pod') 501 it('Should fail with a video of another pod')
500 502
501 it('Should succeed with the correct parameters') 503 it('Should succeed with the correct parameters')