diff options
author | Chocobozzz <me@florianbigard.com> | 2022-02-22 14:16:34 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-02-22 14:16:51 +0100 |
commit | 6ea9295b8f5dd7cc254202a79aad61c666cc4259 (patch) | |
tree | 0345d57eb47c5b5cd0046fee1456b0dc440ae470 | |
parent | fdd5da058aeffb161202124a129789a3c2bb234c (diff) | |
download | PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.gz PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.zst PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.zip |
Check video privacy when creating comments/rates
-rw-r--r-- | server/middlewares/validators/videos/video-comments.ts | 16 | ||||
-rw-r--r-- | server/middlewares/validators/videos/video-rates.ts | 9 | ||||
-rw-r--r-- | server/tests/api/check-params/video-comments.ts | 39 | ||||
-rw-r--r-- | server/tests/api/check-params/videos.ts | 18 |
4 files changed, 75 insertions, 7 deletions
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts index 91ae31ec2..91e85711d 100644 --- a/server/middlewares/validators/videos/video-comments.ts +++ b/server/middlewares/validators/videos/video-comments.ts | |||
@@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [ | |||
100 | 100 | ||
101 | if (areValidationErrors(req, res)) return | 101 | if (areValidationErrors(req, res)) return |
102 | if (!await doesVideoExist(req.params.videoId, res)) return | 102 | if (!await doesVideoExist(req.params.videoId, res)) return |
103 | |||
104 | if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) { | ||
105 | return res.fail({ | ||
106 | status: HttpStatusCode.FORBIDDEN_403, | ||
107 | message: 'Cannot access to this ressource' | ||
108 | }) | ||
109 | } | ||
110 | |||
103 | if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return | 111 | if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return |
104 | if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return | 112 | if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return |
105 | 113 | ||
@@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [ | |||
119 | 127 | ||
120 | if (areValidationErrors(req, res)) return | 128 | if (areValidationErrors(req, res)) return |
121 | if (!await doesVideoExist(req.params.videoId, res)) return | 129 | if (!await doesVideoExist(req.params.videoId, res)) return |
130 | |||
131 | if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) { | ||
132 | return res.fail({ | ||
133 | status: HttpStatusCode.FORBIDDEN_403, | ||
134 | message: 'Cannot access to this ressource' | ||
135 | }) | ||
136 | } | ||
137 | |||
122 | if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return | 138 | if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return |
123 | if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return | 139 | if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return |
124 | if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return | 140 | if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return |
diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts index 6e0bb0ad1..923bf3eaf 100644 --- a/server/middlewares/validators/videos/video-rates.ts +++ b/server/middlewares/validators/videos/video-rates.ts | |||
@@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates' | |||
8 | import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos' | 8 | import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos' |
9 | import { logger } from '../../../helpers/logger' | 9 | import { logger } from '../../../helpers/logger' |
10 | import { AccountVideoRateModel } from '../../../models/account/account-video-rate' | 10 | import { AccountVideoRateModel } from '../../../models/account/account-video-rate' |
11 | import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared' | 11 | import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared' |
12 | 12 | ||
13 | const videoUpdateRateValidator = [ | 13 | const videoUpdateRateValidator = [ |
14 | isValidVideoIdParam('id'), | 14 | isValidVideoIdParam('id'), |
@@ -21,6 +21,13 @@ const videoUpdateRateValidator = [ | |||
21 | if (areValidationErrors(req, res)) return | 21 | if (areValidationErrors(req, res)) return |
22 | if (!await doesVideoExist(req.params.id, res)) return | 22 | if (!await doesVideoExist(req.params.id, res)) return |
23 | 23 | ||
24 | if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) { | ||
25 | return res.fail({ | ||
26 | status: HttpStatusCode.FORBIDDEN_403, | ||
27 | message: 'Cannot access to this ressource' | ||
28 | }) | ||
29 | } | ||
30 | |||
24 | return next() | 31 | return next() |
25 | } | 32 | } |
26 | ] | 33 | ] |
diff --git a/server/tests/api/check-params/video-comments.ts b/server/tests/api/check-params/video-comments.ts index 829f3c8b1..624d657d3 100644 --- a/server/tests/api/check-params/video-comments.ts +++ b/server/tests/api/check-params/video-comments.ts | |||
@@ -19,10 +19,14 @@ const expect = chai.expect | |||
19 | describe('Test video comments API validator', function () { | 19 | describe('Test video comments API validator', function () { |
20 | let pathThread: string | 20 | let pathThread: string |
21 | let pathComment: string | 21 | let pathComment: string |
22 | |||
22 | let server: PeerTubeServer | 23 | let server: PeerTubeServer |
24 | |||
23 | let video: VideoCreateResult | 25 | let video: VideoCreateResult |
26 | |||
24 | let userAccessToken: string | 27 | let userAccessToken: string |
25 | let userAccessToken2: string | 28 | let userAccessToken2: string |
29 | |||
26 | let commentId: number | 30 | let commentId: number |
27 | let privateCommentId: number | 31 | let privateCommentId: number |
28 | let privateVideo: VideoCreateResult | 32 | let privateVideo: VideoCreateResult |
@@ -203,9 +207,8 @@ describe('Test video comments API validator', function () { | |||
203 | 207 | ||
204 | it('Should fail with an incorrect video', async function () { | 208 | it('Should fail with an incorrect video', async function () { |
205 | const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads' | 209 | const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads' |
206 | const fields = { | 210 | const fields = { text: 'super comment' } |
207 | text: 'super comment' | 211 | |
208 | } | ||
209 | await makePostBodyRequest({ | 212 | await makePostBodyRequest({ |
210 | url: server.url, | 213 | url: server.url, |
211 | path, | 214 | path, |
@@ -215,10 +218,21 @@ describe('Test video comments API validator', function () { | |||
215 | }) | 218 | }) |
216 | }) | 219 | }) |
217 | 220 | ||
221 | it('Should fail with a private video of another user', async function () { | ||
222 | const fields = { text: 'super comment' } | ||
223 | |||
224 | await makePostBodyRequest({ | ||
225 | url: server.url, | ||
226 | path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads', | ||
227 | token: userAccessToken, | ||
228 | fields, | ||
229 | expectedStatus: HttpStatusCode.FORBIDDEN_403 | ||
230 | }) | ||
231 | }) | ||
232 | |||
218 | it('Should succeed with the correct parameters', async function () { | 233 | it('Should succeed with the correct parameters', async function () { |
219 | const fields = { | 234 | const fields = { text: 'super comment' } |
220 | text: 'super comment' | 235 | |
221 | } | ||
222 | await makePostBodyRequest({ | 236 | await makePostBodyRequest({ |
223 | url: server.url, | 237 | url: server.url, |
224 | path: pathThread, | 238 | path: pathThread, |
@@ -230,6 +244,7 @@ describe('Test video comments API validator', function () { | |||
230 | }) | 244 | }) |
231 | 245 | ||
232 | describe('When adding a comment to a thread', function () { | 246 | describe('When adding a comment to a thread', function () { |
247 | |||
233 | it('Should fail with a non authenticated user', async function () { | 248 | it('Should fail with a non authenticated user', async function () { |
234 | const fields = { | 249 | const fields = { |
235 | text: 'text' | 250 | text: 'text' |
@@ -276,6 +291,18 @@ describe('Test video comments API validator', function () { | |||
276 | }) | 291 | }) |
277 | }) | 292 | }) |
278 | 293 | ||
294 | it('Should fail with a private video of another user', async function () { | ||
295 | const fields = { text: 'super comment' } | ||
296 | |||
297 | await makePostBodyRequest({ | ||
298 | url: server.url, | ||
299 | path: '/api/v1/videos/' + privateVideo.uuid + '/comments/' + privateCommentId, | ||
300 | token: userAccessToken, | ||
301 | fields, | ||
302 | expectedStatus: HttpStatusCode.FORBIDDEN_403 | ||
303 | }) | ||
304 | }) | ||
305 | |||
279 | it('Should fail with an incorrect comment', async function () { | 306 | it('Should fail with an incorrect comment', async function () { |
280 | const path = '/api/v1/videos/' + video.uuid + '/comments/124' | 307 | const path = '/api/v1/videos/' + video.uuid + '/comments/124' |
281 | const fields = { | 308 | const fields = { |
diff --git a/server/tests/api/check-params/videos.ts b/server/tests/api/check-params/videos.ts index 4cc70f5cc..41064d2ff 100644 --- a/server/tests/api/check-params/videos.ts +++ b/server/tests/api/check-params/videos.ts | |||
@@ -28,6 +28,7 @@ describe('Test videos API validator', function () { | |||
28 | let channelId: number | 28 | let channelId: number |
29 | let channelName: string | 29 | let channelName: string |
30 | let video: VideoCreateResult | 30 | let video: VideoCreateResult |
31 | let privateVideo: VideoCreateResult | ||
31 | 32 | ||
32 | // --------------------------------------------------------------- | 33 | // --------------------------------------------------------------- |
33 | 34 | ||
@@ -49,6 +50,10 @@ describe('Test videos API validator', function () { | |||
49 | channelName = body.videoChannels[0].name | 50 | channelName = body.videoChannels[0].name |
50 | accountName = body.account.name + '@' + body.account.host | 51 | accountName = body.account.name + '@' + body.account.host |
51 | } | 52 | } |
53 | |||
54 | { | ||
55 | privateVideo = await server.videos.quickUpload({ name: 'private video', privacy: VideoPrivacy.PRIVATE }) | ||
56 | } | ||
52 | }) | 57 | }) |
53 | 58 | ||
54 | describe('When listing videos', function () { | 59 | describe('When listing videos', function () { |
@@ -783,6 +788,19 @@ describe('Test videos API validator', function () { | |||
783 | await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields }) | 788 | await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields }) |
784 | }) | 789 | }) |
785 | 790 | ||
791 | it('Should fail with a private video of another user', async function () { | ||
792 | const fields = { | ||
793 | rating: 'like' | ||
794 | } | ||
795 | await makePutBodyRequest({ | ||
796 | url: server.url, | ||
797 | path: path + privateVideo.uuid + '/rate', | ||
798 | token: userAccessToken, | ||
799 | fields, | ||
800 | expectedStatus: HttpStatusCode.FORBIDDEN_403 | ||
801 | }) | ||
802 | }) | ||
803 | |||
786 | it('Should succeed with the correct parameters', async function () { | 804 | it('Should succeed with the correct parameters', async function () { |
787 | const fields = { | 805 | const fields = { |
788 | rating: 'like' | 806 | rating: 'like' |