diff options
| author | Chocobozzz <me@florianbigard.com> | 2022-01-06 13:27:29 +0100 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2022-01-06 13:27:29 +0100 |
| commit | 795212f7acc690c88c86d0fab8772f6564d59cb8 (patch) | |
| tree | 3a0203fc1957fd8cf8876774051137a0b04236fc /server/middlewares/validators/videos | |
| parent | 7b54a81cccf6b4c12269e9d6897d608b1a99537a (diff) | |
| download | PeerTube-795212f7acc690c88c86d0fab8772f6564d59cb8.tar.gz PeerTube-795212f7acc690c88c86d0fab8772f6564d59cb8.tar.zst PeerTube-795212f7acc690c88c86d0fab8772f6564d59cb8.zip | |
Prevent caption listing of private videos
Diffstat (limited to 'server/middlewares/validators/videos')
| -rw-r--r-- | server/middlewares/validators/videos/video-captions.ts | 22 | ||||
| -rw-r--r-- | server/middlewares/validators/videos/videos.ts | 19 |
2 files changed, 25 insertions, 16 deletions
diff --git a/server/middlewares/validators/videos/video-captions.ts b/server/middlewares/validators/videos/video-captions.ts index 38321ccf9..4fc4c8ec5 100644 --- a/server/middlewares/validators/videos/video-captions.ts +++ b/server/middlewares/validators/videos/video-captions.ts | |||
| @@ -1,11 +1,18 @@ | |||
| 1 | import express from 'express' | 1 | import express from 'express' |
| 2 | import { body, param } from 'express-validator' | 2 | import { body, param } from 'express-validator' |
| 3 | import { UserRight } from '../../../../shared' | 3 | import { HttpStatusCode, UserRight } from '../../../../shared' |
| 4 | import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions' | 4 | import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions' |
| 5 | import { cleanUpReqFiles } from '../../../helpers/express-utils' | 5 | import { cleanUpReqFiles } from '../../../helpers/express-utils' |
| 6 | import { logger } from '../../../helpers/logger' | 6 | import { logger } from '../../../helpers/logger' |
| 7 | import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants' | 7 | import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants' |
| 8 | import { areValidationErrors, checkUserCanManageVideo, doesVideoCaptionExist, doesVideoExist, isValidVideoIdParam } from '../shared' | 8 | import { |
| 9 | areValidationErrors, | ||
| 10 | checkCanSeeVideoIfPrivate, | ||
| 11 | checkUserCanManageVideo, | ||
| 12 | doesVideoCaptionExist, | ||
| 13 | doesVideoExist, | ||
| 14 | isValidVideoIdParam | ||
| 15 | } from '../shared' | ||
| 9 | 16 | ||
| 10 | const addVideoCaptionValidator = [ | 17 | const addVideoCaptionValidator = [ |
| 11 | isValidVideoIdParam('videoId'), | 18 | isValidVideoIdParam('videoId'), |
| @@ -64,7 +71,16 @@ const listVideoCaptionsValidator = [ | |||
| 64 | logger.debug('Checking listVideoCaptions parameters', { parameters: req.params }) | 71 | logger.debug('Checking listVideoCaptions parameters', { parameters: req.params }) |
| 65 | 72 | ||
| 66 | if (areValidationErrors(req, res)) return | 73 | if (areValidationErrors(req, res)) return |
| 67 | if (!await doesVideoExist(req.params.videoId, res, 'id')) return | 74 | if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return |
| 75 | |||
| 76 | const video = res.locals.onlyVideo | ||
| 77 | |||
| 78 | if (!await checkCanSeeVideoIfPrivate(req, res, video)) { | ||
| 79 | return res.fail({ | ||
| 80 | status: HttpStatusCode.FORBIDDEN_403, | ||
| 81 | message: 'Cannot list captions of private/internal/blocklisted video' | ||
| 82 | }) | ||
| 83 | } | ||
| 68 | 84 | ||
| 69 | return next() | 85 | return next() |
| 70 | } | 86 | } |
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts index 3ebdbc33d..782f495e8 100644 --- a/server/middlewares/validators/videos/videos.ts +++ b/server/middlewares/validators/videos/videos.ts | |||
| @@ -51,9 +51,9 @@ import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants' | |||
| 51 | import { isLocalVideoAccepted } from '../../../lib/moderation' | 51 | import { isLocalVideoAccepted } from '../../../lib/moderation' |
| 52 | import { Hooks } from '../../../lib/plugins/hooks' | 52 | import { Hooks } from '../../../lib/plugins/hooks' |
| 53 | import { VideoModel } from '../../../models/video/video' | 53 | import { VideoModel } from '../../../models/video/video' |
| 54 | import { authenticatePromiseIfNeeded } from '../../auth' | ||
| 55 | import { | 54 | import { |
| 56 | areValidationErrors, | 55 | areValidationErrors, |
| 56 | checkCanSeePrivateVideo, | ||
| 57 | checkUserCanManageVideo, | 57 | checkUserCanManageVideo, |
| 58 | doesVideoChannelOfAccountExist, | 58 | doesVideoChannelOfAccountExist, |
| 59 | doesVideoExist, | 59 | doesVideoExist, |
| @@ -317,19 +317,12 @@ const videosCustomGetValidator = ( | |||
| 317 | 317 | ||
| 318 | // Video private or blacklisted | 318 | // Video private or blacklisted |
| 319 | if (video.requiresAuth()) { | 319 | if (video.requiresAuth()) { |
| 320 | await authenticatePromiseIfNeeded(req, res, authenticateInQuery) | 320 | if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) return next() |
| 321 | 321 | ||
| 322 | const user = res.locals.oauth ? res.locals.oauth.token.User : null | 322 | return res.fail({ |
| 323 | 323 | status: HttpStatusCode.FORBIDDEN_403, | |
| 324 | // Only the owner or a user that have blocklist rights can see the video | 324 | message: 'Cannot get this private/internal or blocklisted video' |
| 325 | if (!user || !user.canGetVideo(video)) { | 325 | }) |
| 326 | return res.fail({ | ||
| 327 | status: HttpStatusCode.FORBIDDEN_403, | ||
| 328 | message: 'Cannot get this private/internal or blocklisted video' | ||
| 329 | }) | ||
| 330 | } | ||
| 331 | |||
| 332 | return next() | ||
| 333 | } | 326 | } |
| 334 | 327 | ||
| 335 | // Video is public, anyone can access it | 328 | // Video is public, anyone can access it |