Fix video right check

author: Chocobozzz <me@florianbigard.com> 2022-06-22 14:03:50 +0200
committer: Chocobozzz <me@florianbigard.com> 2022-06-22 14:03:50 +0200
commit: 2c2befaacaa7063df0d4557b71c187ee168a8eb6 (patch)
tree: ed31dba97ff754d6d20f32bf7eec10e580afa121
parent: ff9d43f62a4f4737c5bfe955883b48c5440f323a (diff)
download: PeerTube-2c2befaacaa7063df0d4557b71c187ee168a8eb6.tar.gz
PeerTube-2c2befaacaa7063df0d4557b71c187ee168a8eb6.tar.zst
PeerTube-2c2befaacaa7063df0d4557b71c187ee168a8eb6.zip
4 files changed, 12 insertions, 11 deletions
diff --git a/server/middlewares/auth.ts b/server/middlewares/auth.ts
index c5424be97..ad3b24ab2 100644
--- a/server/middlewares/auth.ts
+++ b/server/middlewares/auth.ts
@@ -47,7 +47,7 @@ function authenticateSocket (socket: Socket, next: (err?: any) => void) {
    .catch(err => logger.error('Cannot get access token.', { err }))
 }
-function authenticatePromiseIfNeeded (req: express.Request, res: express.Response, authenticateInQuery = false) {
+function authenticatePromise (req: express.Request, res: express.Response, authenticateInQuery = false) {
  return new Promise<void>(resolve => {
    // Already authenticated? (or tried to)
    if (res.locals.oauth?.token.User) return resolve()
@@ -76,6 +76,6 @@ function optionalAuthenticate (req: express.Request, res: express.Response, next
 export {
  authenticate,
  authenticateSocket,
-  authenticatePromiseIfNeeded,
+  authenticatePromise,
  optionalAuthenticate
 }
diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts
index 39aab6df7..2c2ae3811 100644
--- a/server/middlewares/validators/shared/videos.ts
+++ b/server/middlewares/validators/shared/videos.ts
@@ -2,7 +2,7 @@ import { Request, Response } from 'express'
 import { isUUIDValid } from '@server/helpers/custom-validators/misc'
 import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
 import { isAbleToUploadVideo } from '@server/lib/user'
-import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'
+import { authenticatePromise } from '@server/middlewares/auth'
 import { VideoModel } from '@server/models/video/video'
 import { VideoChannelModel } from '@server/models/video/video-channel'
 import { VideoFileModel } from '@server/models/video/video-file'
@@ -137,7 +137,7 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
    return false
  }
-  await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
+  await authenticatePromise(req, res, authenticateInQuery)
  const user = res.locals.oauth?.token.User
  if (!user) return fail()
@@ -154,14 +154,15 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
  }
  const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id
-  if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) {
-    if (isOwnedByUser && user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true
+  if (videoWithRights.isBlacklisted()) {
+    if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true
    return fail()
  }
-  if (videoWithRights.isBlacklisted()) {
+  if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) {
-    if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true
+    if (isOwnedByUser || user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true
    return fail()
  }
diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts
index 241b9ed7b..d514ae0ad 100644
--- a/server/middlewares/validators/videos/video-playlists.ts
+++ b/server/middlewares/validators/videos/video-playlists.ts
@@ -33,7 +33,7 @@ import { logger } from '../../../helpers/logger'
 import { CONSTRAINTS_FIELDS } from '../../../initializers/constants'
 import { VideoPlaylistElementModel } from '../../../models/video/video-playlist-element'
 import { MVideoPlaylist } from '../../../types/models/video/video-playlist'
-import { authenticatePromiseIfNeeded } from '../../auth'
+import { authenticatePromise } from '../../auth'
 import {
  areValidationErrors,
  doesVideoChannelIdExist,
@@ -161,7 +161,7 @@ const videoPlaylistsGetValidator = (fetchType: VideoPlaylistFetchType) => {
      }
      if (videoPlaylist.privacy === VideoPlaylistPrivacy.PRIVATE) {
-        await authenticatePromiseIfNeeded(req, res)
+        await authenticatePromise(req, res)
        const user = res.locals.oauth ? res.locals.oauth.token.User : null
diff --git a/server/tests/api/videos/video-privacy.ts b/server/tests/api/videos/video-privacy.ts
index 3051a443d..1073aee8c 100644
--- a/server/tests/api/videos/video-privacy.ts
+++ b/server/tests/api/videos/video-privacy.ts
@@ -162,7 +162,7 @@ describe('Test video privacy', function () {
    })
    it('Should not be able to get this unlisted video using its id', async function () {
-      await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
+      await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
    })
    it('Should be able to get this unlisted video using its uuid/shortUUID', async function () {
author	Chocobozzz <me@florianbigard.com>	2022-06-22 14:03:50 +0200
committer	Chocobozzz <me@florianbigard.com>	2022-06-22 14:03:50 +0200
commit	2c2befaacaa7063df0d4557b71c187ee168a8eb6 (patch)
tree	ed31dba97ff754d6d20f32bf7eec10e580afa121
parent	ff9d43f62a4f4737c5bfe955883b48c5440f323a (diff)
download	PeerTube-2c2befaacaa7063df0d4557b71c187ee168a8eb6.tar.gz PeerTube-2c2befaacaa7063df0d4557b71c187ee168a8eb6.tar.zst PeerTube-2c2befaacaa7063df0d4557b71c187ee168a8eb6.zip

diff --git a/server/middlewares/auth.ts b/server/middlewares/auth.ts index c5424be97..ad3b24ab2 100644 --- a/server/middlewares/auth.ts +++ b/server/middlewares/auth.ts
@@ -47,7 +47,7 @@ function authenticateSocket (socket: Socket, next: (err?: any) => void) {
47	.catch(err => logger.error('Cannot get access token.', { err }))	47	.catch(err => logger.error('Cannot get access token.', { err }))
48	}	48	}
49		49
50	function authenticatePromiseIfNeeded (req: express.Request, res: express.Response, authenticateInQuery = false) {	50	function authenticatePromise (req: express.Request, res: express.Response, authenticateInQuery = false) {
51	return new Promise<void>(resolve => {	51	return new Promise<void>(resolve => {
52	// Already authenticated? (or tried to)	52	// Already authenticated? (or tried to)
53	if (res.locals.oauth?.token.User) return resolve()	53	if (res.locals.oauth?.token.User) return resolve()
@@ -76,6 +76,6 @@ function optionalAuthenticate (req: express.Request, res: express.Response, next
76	export {	76	export {
77	authenticate,	77	authenticate,
78	authenticateSocket,	78	authenticateSocket,
79	authenticatePromiseIfNeeded,	79	authenticatePromise,
80	optionalAuthenticate	80	optionalAuthenticate
81	}	81	}


diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts index 39aab6df7..2c2ae3811 100644 --- a/server/middlewares/validators/shared/videos.ts +++ b/server/middlewares/validators/shared/videos.ts
@@ -2,7 +2,7 @@ import { Request, Response } from 'express'
2	import { isUUIDValid } from '@server/helpers/custom-validators/misc'	2	import { isUUIDValid } from '@server/helpers/custom-validators/misc'
3	import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'	3	import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
4	import { isAbleToUploadVideo } from '@server/lib/user'	4	import { isAbleToUploadVideo } from '@server/lib/user'
5	import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'	5	import { authenticatePromise } from '@server/middlewares/auth'
6	import { VideoModel } from '@server/models/video/video'	6	import { VideoModel } from '@server/models/video/video'
7	import { VideoChannelModel } from '@server/models/video/video-channel'	7	import { VideoChannelModel } from '@server/models/video/video-channel'
8	import { VideoFileModel } from '@server/models/video/video-file'	8	import { VideoFileModel } from '@server/models/video/video-file'
@@ -137,7 +137,7 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
137	return false	137	return false
138	}	138	}
139		139
140	await authenticatePromiseIfNeeded(req, res, authenticateInQuery)	140	await authenticatePromise(req, res, authenticateInQuery)
141		141
142	const user = res.locals.oauth?.token.User	142	const user = res.locals.oauth?.token.User
143	if (!user) return fail()	143	if (!user) return fail()
@@ -154,14 +154,15 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
154	}	154	}
155		155
156	const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id	156	const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id
157	if (privacy === VideoPrivacy.PRIVATE \|\| privacy === VideoPrivacy.UNLISTED) {	157
158	if (isOwnedByUser && user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true	158	if (videoWithRights.isBlacklisted()) {
		159	if (isOwnedByUser \|\| user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true
159		160
160	return fail()	161	return fail()
161	}	162	}
162		163
163	if (videoWithRights.isBlacklisted()) {	164	if (privacy === VideoPrivacy.PRIVATE \|\| privacy === VideoPrivacy.UNLISTED) {
164	if (isOwnedByUser \|\| user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true	165	if (isOwnedByUser \|\| user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true
165		166
166	return fail()	167	return fail()
167	}	168	}


diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts index 241b9ed7b..d514ae0ad 100644 --- a/server/middlewares/validators/videos/video-playlists.ts +++ b/server/middlewares/validators/videos/video-playlists.ts
@@ -33,7 +33,7 @@ import { logger } from '../../../helpers/logger'
33	import { CONSTRAINTS_FIELDS } from '../../../initializers/constants'	33	import { CONSTRAINTS_FIELDS } from '../../../initializers/constants'
34	import { VideoPlaylistElementModel } from '../../../models/video/video-playlist-element'	34	import { VideoPlaylistElementModel } from '../../../models/video/video-playlist-element'
35	import { MVideoPlaylist } from '../../../types/models/video/video-playlist'	35	import { MVideoPlaylist } from '../../../types/models/video/video-playlist'
36	import { authenticatePromiseIfNeeded } from '../../auth'	36	import { authenticatePromise } from '../../auth'
37	import {	37	import {
38	areValidationErrors,	38	areValidationErrors,
39	doesVideoChannelIdExist,	39	doesVideoChannelIdExist,
@@ -161,7 +161,7 @@ const videoPlaylistsGetValidator = (fetchType: VideoPlaylistFetchType) => {
161	}	161	}
162		162
163	if (videoPlaylist.privacy === VideoPlaylistPrivacy.PRIVATE) {	163	if (videoPlaylist.privacy === VideoPlaylistPrivacy.PRIVATE) {
164	await authenticatePromiseIfNeeded(req, res)	164	await authenticatePromise(req, res)
165		165
166	const user = res.locals.oauth ? res.locals.oauth.token.User : null	166	const user = res.locals.oauth ? res.locals.oauth.token.User : null
167		167


diff --git a/server/tests/api/videos/video-privacy.ts b/server/tests/api/videos/video-privacy.ts index 3051a443d..1073aee8c 100644 --- a/server/tests/api/videos/video-privacy.ts +++ b/server/tests/api/videos/video-privacy.ts
@@ -162,7 +162,7 @@ describe('Test video privacy', function () {
162	})	162	})
163		163
164	it('Should not be able to get this unlisted video using its id', async function () {	164	it('Should not be able to get this unlisted video using its id', async function () {
165	await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.NOT_FOUND_404 })	165	await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
166	})	166	})
167		167
168	it('Should be able to get this unlisted video using its uuid/shortUUID', async function () {	168	it('Should be able to get this unlisted video using its uuid/shortUUID', async function () {