diff options
| author | Chocobozzz <florian.bigard@gmail.com> | 2017-09-12 12:53:55 +0200 |
|---|---|---|
| committer | Chocobozzz <florian.bigard@gmail.com> | 2017-09-12 13:12:35 +0200 |
| commit | 6d33593a0829a7f041127d50d4c455456550a47f (patch) | |
| tree | da316570134a33f4f8cef1fda282c8ef2d0e30a6 /server/middlewares/validators/videos.ts | |
| parent | 7ca86c864e102b65e4ff3224a06554a66148fef8 (diff) | |
| download | PeerTube-6d33593a0829a7f041127d50d4c455456550a47f.tar.gz PeerTube-6d33593a0829a7f041127d50d4c455456550a47f.tar.zst PeerTube-6d33593a0829a7f041127d50d4c455456550a47f.zip | |
Improve real world script
Diffstat (limited to 'server/middlewares/validators/videos.ts')
| -rw-r--r-- | server/middlewares/validators/videos.ts | 16 |
1 files changed, 6 insertions, 10 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index 249da668d..519e3d46c 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts | |||
| @@ -109,8 +109,6 @@ function videosRemoveValidator (req: express.Request, res: express.Response, nex | |||
| 109 | 109 | ||
| 110 | checkErrors(req, res, () => { | 110 | checkErrors(req, res, () => { |
| 111 | checkVideoExists(req.params.id, res, () => { | 111 | checkVideoExists(req.params.id, res, () => { |
| 112 | // We need to make additional checks | ||
| 113 | |||
| 114 | // Check if the user who did the request is able to delete the video | 112 | // Check if the user who did the request is able to delete the video |
| 115 | checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, () => { | 113 | checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, () => { |
| 116 | next() | 114 | next() |
| @@ -205,17 +203,15 @@ function checkUserCanDeleteVideo (userId: number, res: express.Response, callbac | |||
| 205 | // Retrieve the user who did the request | 203 | // Retrieve the user who did the request |
| 206 | db.User.loadById(userId) | 204 | db.User.loadById(userId) |
| 207 | .then(user => { | 205 | .then(user => { |
| 206 | if (res.locals.video.isOwned() === false) { | ||
| 207 | return res.status(403).send('Cannot remove video of another pod, blacklist it') | ||
| 208 | } | ||
| 209 | |||
| 208 | // Check if the user can delete the video | 210 | // Check if the user can delete the video |
| 209 | // The user can delete it if s/he is an admin | 211 | // The user can delete it if s/he is an admin |
| 210 | // Or if s/he is the video's author | 212 | // Or if s/he is the video's author |
| 211 | if (user.isAdmin() === false) { | 213 | if (user.isAdmin() === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { |
| 212 | if (res.locals.video.isOwned() === false) { | 214 | return res.status(403).send('Cannot remove video of another user') |
| 213 | return res.status(403).send('Cannot remove video of another pod') | ||
| 214 | } | ||
| 215 | |||
| 216 | if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { | ||
| 217 | return res.status(403).send('Cannot remove video of another user') | ||
| 218 | } | ||
| 219 | } | 215 | } |
| 220 | 216 | ||
| 221 | // If we reach this comment, we can delete the video | 217 | // If we reach this comment, we can delete the video |