diff options
author | Chocobozzz <florian.bigard@gmail.com> | 2016-08-05 21:41:28 +0200 |
---|---|---|
committer | Chocobozzz <florian.bigard@gmail.com> | 2016-08-05 21:41:28 +0200 |
commit | 58b2ba55a90f05f24661e664b1fb0a3486f037e8 (patch) | |
tree | 1f44b344423667280fca24661918cea8018195f7 | |
parent | f3391f9237269ed671c23fdbcc9d86dc52134fe5 (diff) | |
download | PeerTube-58b2ba55a90f05f24661e664b1fb0a3486f037e8.tar.gz PeerTube-58b2ba55a90f05f24661e664b1fb0a3486f037e8.tar.zst PeerTube-58b2ba55a90f05f24661e664b1fb0a3486f037e8.zip |
Server: do not allow a user to remove a video of another user
-rw-r--r-- | client/tsconfig.json | 2 | ||||
-rw-r--r-- | server/middlewares/validators/videos.js | 1 | ||||
-rw-r--r-- | server/tests/api/checkParams.js | 2 |
3 files changed, 3 insertions, 2 deletions
diff --git a/client/tsconfig.json b/client/tsconfig.json index e2d61851e..b10231b7b 100644 --- a/client/tsconfig.json +++ b/client/tsconfig.json | |||
@@ -49,8 +49,6 @@ | |||
49 | "src/app/shared/search/search.component.ts", | 49 | "src/app/shared/search/search.component.ts", |
50 | "src/app/shared/search/search.model.ts", | 50 | "src/app/shared/search/search.model.ts", |
51 | "src/app/shared/search/search.service.ts", | 51 | "src/app/shared/search/search.service.ts", |
52 | "src/app/shared/user/index.ts", | ||
53 | "src/app/shared/user/user.service.ts", | ||
54 | "src/app/videos/index.ts", | 52 | "src/app/videos/index.ts", |
55 | "src/app/videos/shared/index.ts", | 53 | "src/app/videos/shared/index.ts", |
56 | "src/app/videos/shared/loader/index.ts", | 54 | "src/app/videos/shared/loader/index.ts", |
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js index 9d21ee16f..e51087d5a 100644 --- a/server/middlewares/validators/videos.js +++ b/server/middlewares/validators/videos.js | |||
@@ -77,6 +77,7 @@ function videosRemove (req, res, next) { | |||
77 | 77 | ||
78 | if (!video) return res.status(404).send('Video not found') | 78 | if (!video) return res.status(404).send('Video not found') |
79 | else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod') | 79 | else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod') |
80 | else if (video.author !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user') | ||
80 | 81 | ||
81 | next() | 82 | next() |
82 | }) | 83 | }) |
diff --git a/server/tests/api/checkParams.js b/server/tests/api/checkParams.js index 8b49f5f36..e489df277 100644 --- a/server/tests/api/checkParams.js +++ b/server/tests/api/checkParams.js | |||
@@ -496,6 +496,8 @@ describe('Test parameters validator', function () { | |||
496 | .expect(404, done) | 496 | .expect(404, done) |
497 | }) | 497 | }) |
498 | 498 | ||
499 | it('Should fail with a video of another user') | ||
500 | |||
499 | it('Should fail with a video of another pod') | 501 | it('Should fail with a video of another pod') |
500 | 502 | ||
501 | it('Should succeed with the correct parameters') | 503 | it('Should succeed with the correct parameters') |