aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-02-22 14:16:34 +0100
committerChocobozzz <me@florianbigard.com>2022-02-22 14:16:51 +0100
commit6ea9295b8f5dd7cc254202a79aad61c666cc4259 (patch)
tree0345d57eb47c5b5cd0046fee1456b0dc440ae470
parentfdd5da058aeffb161202124a129789a3c2bb234c (diff)
downloadPeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.gz
PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.zst
PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.zip
Check video privacy when creating comments/rates
-rw-r--r--server/middlewares/validators/videos/video-comments.ts16
-rw-r--r--server/middlewares/validators/videos/video-rates.ts9
-rw-r--r--server/tests/api/check-params/video-comments.ts39
-rw-r--r--server/tests/api/check-params/videos.ts18
4 files changed, 75 insertions, 7 deletions
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index 91ae31ec2..91e85711d 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [
100 100
101 if (areValidationErrors(req, res)) return 101 if (areValidationErrors(req, res)) return
102 if (!await doesVideoExist(req.params.videoId, res)) return 102 if (!await doesVideoExist(req.params.videoId, res)) return
103
104 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
105 return res.fail({
106 status: HttpStatusCode.FORBIDDEN_403,
107 message: 'Cannot access to this ressource'
108 })
109 }
110
103 if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return 111 if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
104 if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return 112 if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
105 113
@@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [
119 127
120 if (areValidationErrors(req, res)) return 128 if (areValidationErrors(req, res)) return
121 if (!await doesVideoExist(req.params.videoId, res)) return 129 if (!await doesVideoExist(req.params.videoId, res)) return
130
131 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
132 return res.fail({
133 status: HttpStatusCode.FORBIDDEN_403,
134 message: 'Cannot access to this ressource'
135 })
136 }
137
122 if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return 138 if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
123 if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return 139 if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
124 if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return 140 if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts
index 6e0bb0ad1..923bf3eaf 100644
--- a/server/middlewares/validators/videos/video-rates.ts
+++ b/server/middlewares/validators/videos/video-rates.ts
@@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
8import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos' 8import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
9import { logger } from '../../../helpers/logger' 9import { logger } from '../../../helpers/logger'
10import { AccountVideoRateModel } from '../../../models/account/account-video-rate' 10import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
11import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared' 11import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared'
12 12
13const videoUpdateRateValidator = [ 13const videoUpdateRateValidator = [
14 isValidVideoIdParam('id'), 14 isValidVideoIdParam('id'),
@@ -21,6 +21,13 @@ const videoUpdateRateValidator = [
21 if (areValidationErrors(req, res)) return 21 if (areValidationErrors(req, res)) return
22 if (!await doesVideoExist(req.params.id, res)) return 22 if (!await doesVideoExist(req.params.id, res)) return
23 23
24 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
25 return res.fail({
26 status: HttpStatusCode.FORBIDDEN_403,
27 message: 'Cannot access to this ressource'
28 })
29 }
30
24 return next() 31 return next()
25 } 32 }
26] 33]
diff --git a/server/tests/api/check-params/video-comments.ts b/server/tests/api/check-params/video-comments.ts
index 829f3c8b1..624d657d3 100644
--- a/server/tests/api/check-params/video-comments.ts
+++ b/server/tests/api/check-params/video-comments.ts
@@ -19,10 +19,14 @@ const expect = chai.expect
19describe('Test video comments API validator', function () { 19describe('Test video comments API validator', function () {
20 let pathThread: string 20 let pathThread: string
21 let pathComment: string 21 let pathComment: string
22
22 let server: PeerTubeServer 23 let server: PeerTubeServer
24
23 let video: VideoCreateResult 25 let video: VideoCreateResult
26
24 let userAccessToken: string 27 let userAccessToken: string
25 let userAccessToken2: string 28 let userAccessToken2: string
29
26 let commentId: number 30 let commentId: number
27 let privateCommentId: number 31 let privateCommentId: number
28 let privateVideo: VideoCreateResult 32 let privateVideo: VideoCreateResult
@@ -203,9 +207,8 @@ describe('Test video comments API validator', function () {
203 207
204 it('Should fail with an incorrect video', async function () { 208 it('Should fail with an incorrect video', async function () {
205 const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads' 209 const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads'
206 const fields = { 210 const fields = { text: 'super comment' }
207 text: 'super comment' 211
208 }
209 await makePostBodyRequest({ 212 await makePostBodyRequest({
210 url: server.url, 213 url: server.url,
211 path, 214 path,
@@ -215,10 +218,21 @@ describe('Test video comments API validator', function () {
215 }) 218 })
216 }) 219 })
217 220
221 it('Should fail with a private video of another user', async function () {
222 const fields = { text: 'super comment' }
223
224 await makePostBodyRequest({
225 url: server.url,
226 path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
227 token: userAccessToken,
228 fields,
229 expectedStatus: HttpStatusCode.FORBIDDEN_403
230 })
231 })
232
218 it('Should succeed with the correct parameters', async function () { 233 it('Should succeed with the correct parameters', async function () {
219 const fields = { 234 const fields = { text: 'super comment' }
220 text: 'super comment' 235
221 }
222 await makePostBodyRequest({ 236 await makePostBodyRequest({
223 url: server.url, 237 url: server.url,
224 path: pathThread, 238 path: pathThread,
@@ -230,6 +244,7 @@ describe('Test video comments API validator', function () {
230 }) 244 })
231 245
232 describe('When adding a comment to a thread', function () { 246 describe('When adding a comment to a thread', function () {
247
233 it('Should fail with a non authenticated user', async function () { 248 it('Should fail with a non authenticated user', async function () {
234 const fields = { 249 const fields = {
235 text: 'text' 250 text: 'text'
@@ -276,6 +291,18 @@ describe('Test video comments API validator', function () {
276 }) 291 })
277 }) 292 })
278 293
294 it('Should fail with a private video of another user', async function () {
295 const fields = { text: 'super comment' }
296
297 await makePostBodyRequest({
298 url: server.url,
299 path: '/api/v1/videos/' + privateVideo.uuid + '/comments/' + privateCommentId,
300 token: userAccessToken,
301 fields,
302 expectedStatus: HttpStatusCode.FORBIDDEN_403
303 })
304 })
305
279 it('Should fail with an incorrect comment', async function () { 306 it('Should fail with an incorrect comment', async function () {
280 const path = '/api/v1/videos/' + video.uuid + '/comments/124' 307 const path = '/api/v1/videos/' + video.uuid + '/comments/124'
281 const fields = { 308 const fields = {
diff --git a/server/tests/api/check-params/videos.ts b/server/tests/api/check-params/videos.ts
index 4cc70f5cc..41064d2ff 100644
--- a/server/tests/api/check-params/videos.ts
+++ b/server/tests/api/check-params/videos.ts
@@ -28,6 +28,7 @@ describe('Test videos API validator', function () {
28 let channelId: number 28 let channelId: number
29 let channelName: string 29 let channelName: string
30 let video: VideoCreateResult 30 let video: VideoCreateResult
31 let privateVideo: VideoCreateResult
31 32
32 // --------------------------------------------------------------- 33 // ---------------------------------------------------------------
33 34
@@ -49,6 +50,10 @@ describe('Test videos API validator', function () {
49 channelName = body.videoChannels[0].name 50 channelName = body.videoChannels[0].name
50 accountName = body.account.name + '@' + body.account.host 51 accountName = body.account.name + '@' + body.account.host
51 } 52 }
53
54 {
55 privateVideo = await server.videos.quickUpload({ name: 'private video', privacy: VideoPrivacy.PRIVATE })
56 }
52 }) 57 })
53 58
54 describe('When listing videos', function () { 59 describe('When listing videos', function () {
@@ -783,6 +788,19 @@ describe('Test videos API validator', function () {
783 await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields }) 788 await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields })
784 }) 789 })
785 790
791 it('Should fail with a private video of another user', async function () {
792 const fields = {
793 rating: 'like'
794 }
795 await makePutBodyRequest({
796 url: server.url,
797 path: path + privateVideo.uuid + '/rate',
798 token: userAccessToken,
799 fields,
800 expectedStatus: HttpStatusCode.FORBIDDEN_403
801 })
802 })
803
786 it('Should succeed with the correct parameters', async function () { 804 it('Should succeed with the correct parameters', async function () {
787 const fields = { 805 const fields = {
788 rating: 'like' 806 rating: 'like'