diff options
author | Chocobozzz <florian.bigard@gmail.com> | 2017-10-31 15:20:35 +0100 |
---|---|---|
committer | Chocobozzz <florian.bigard@gmail.com> | 2017-10-31 15:32:10 +0100 |
commit | 11474c3cd904fa0fc07fc0a3a9a35496da17f300 (patch) | |
tree | 945bb2cdc11548c80706dbf7f0db4fa0edabbee0 /server/middlewares/validators/videos.ts | |
parent | fd45e8f43c2638478599ca75632518054461da85 (diff) | |
download | PeerTube-11474c3cd904fa0fc07fc0a3a9a35496da17f300.tar.gz PeerTube-11474c3cd904fa0fc07fc0a3a9a35496da17f300.tar.zst PeerTube-11474c3cd904fa0fc07fc0a3a9a35496da17f300.zip |
Add tests and fix bugs for video privacy
Diffstat (limited to 'server/middlewares/validators/videos.ts')
-rw-r--r-- | server/middlewares/validators/videos.ts | 63 |
1 files changed, 37 insertions, 26 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index e197d4606..15b4629c1 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts | |||
@@ -24,6 +24,7 @@ import { | |||
24 | isVideoPrivacyValid | 24 | isVideoPrivacyValid |
25 | } from '../../helpers' | 25 | } from '../../helpers' |
26 | import { UserRight, VideoPrivacy } from '../../../shared' | 26 | import { UserRight, VideoPrivacy } from '../../../shared' |
27 | import { authenticate } from '../oauth' | ||
27 | 28 | ||
28 | const videosAddValidator = [ | 29 | const videosAddValidator = [ |
29 | body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage( | 30 | body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage( |
@@ -112,7 +113,7 @@ const videosUpdateValidator = [ | |||
112 | body('licence').optional().custom(isVideoLicenceValid).withMessage('Should have a valid licence'), | 113 | body('licence').optional().custom(isVideoLicenceValid).withMessage('Should have a valid licence'), |
113 | body('language').optional().custom(isVideoLanguageValid).withMessage('Should have a valid language'), | 114 | body('language').optional().custom(isVideoLanguageValid).withMessage('Should have a valid language'), |
114 | body('nsfw').optional().custom(isVideoNSFWValid).withMessage('Should have a valid NSFW attribute'), | 115 | body('nsfw').optional().custom(isVideoNSFWValid).withMessage('Should have a valid NSFW attribute'), |
115 | body('privacy').custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'), | 116 | body('privacy').optional().custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'), |
116 | body('description').optional().custom(isVideoDescriptionValid).withMessage('Should have a valid description'), | 117 | body('description').optional().custom(isVideoDescriptionValid).withMessage('Should have a valid description'), |
117 | body('tags').optional().custom(isVideoTagsValid).withMessage('Should have correct tags'), | 118 | body('tags').optional().custom(isVideoTagsValid).withMessage('Should have correct tags'), |
118 | 119 | ||
@@ -155,7 +156,22 @@ const videosGetValidator = [ | |||
155 | logger.debug('Checking videosGet parameters', { parameters: req.params }) | 156 | logger.debug('Checking videosGet parameters', { parameters: req.params }) |
156 | 157 | ||
157 | checkErrors(req, res, () => { | 158 | checkErrors(req, res, () => { |
158 | checkVideoExists(req.params.id, res, next) | 159 | checkVideoExists(req.params.id, res, () => { |
160 | const video = res.locals.video | ||
161 | |||
162 | // Video is not private, anyone can access it | ||
163 | if (video.privacy !== VideoPrivacy.PRIVATE) return next() | ||
164 | |||
165 | authenticate(req, res, () => { | ||
166 | if (video.VideoChannel.Author.userId !== res.locals.oauth.token.User.id) { | ||
167 | return res.status(403) | ||
168 | .json({ error: 'Cannot get this private video of another user' }) | ||
169 | .end() | ||
170 | } | ||
171 | |||
172 | next() | ||
173 | }) | ||
174 | }) | ||
159 | }) | 175 | }) |
160 | } | 176 | } |
161 | ] | 177 | ] |
@@ -232,28 +248,23 @@ export { | |||
232 | 248 | ||
233 | function checkUserCanDeleteVideo (userId: number, res: express.Response, callback: () => void) { | 249 | function checkUserCanDeleteVideo (userId: number, res: express.Response, callback: () => void) { |
234 | // Retrieve the user who did the request | 250 | // Retrieve the user who did the request |
235 | db.User.loadById(userId) | 251 | if (res.locals.video.isOwned() === false) { |
236 | .then(user => { | 252 | return res.status(403) |
237 | if (res.locals.video.isOwned() === false) { | 253 | .json({ error: 'Cannot remove video of another pod, blacklist it' }) |
238 | return res.status(403) | 254 | .end() |
239 | .json({ error: 'Cannot remove video of another pod, blacklist it' }) | 255 | } |
240 | .end() | 256 | |
241 | } | 257 | // Check if the user can delete the video |
242 | 258 | // The user can delete it if s/he is an admin | |
243 | // Check if the user can delete the video | 259 | // Or if s/he is the video's author |
244 | // The user can delete it if s/he is an admin | 260 | const author = res.locals.video.VideoChannel.Author |
245 | // Or if s/he is the video's author | 261 | const user = res.locals.oauth.token.User |
246 | if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { | 262 | if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && author.userId !== user.id) { |
247 | return res.status(403) | 263 | return res.status(403) |
248 | .json({ error: 'Cannot remove video of another user' }) | 264 | .json({ error: 'Cannot remove video of another user' }) |
249 | .end() | 265 | .end() |
250 | } | 266 | } |
251 | 267 | ||
252 | // If we reach this comment, we can delete the video | 268 | // If we reach this comment, we can delete the video |
253 | callback() | 269 | callback() |
254 | }) | ||
255 | .catch(err => { | ||
256 | logger.error('Error in video request validator.', err) | ||
257 | return res.sendStatus(500) | ||
258 | }) | ||
259 | } | 270 | } |