aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares/validators
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2018-11-16 15:02:48 +0100
committerChocobozzz <me@florianbigard.com>2018-11-16 15:49:16 +0100
commit8d4273463fb19d503b1aa0a32dc289f292ed614e (patch)
treef422773ecba3405bb5808bed8e25b62ac6b7ea08 /server/middlewares/validators
parent5776f78e3b3f3a371ec30c7fcb11e7ca17f2f65e (diff)
downloadPeerTube-8d4273463fb19d503b1aa0a32dc289f292ed614e.tar.gz
PeerTube-8d4273463fb19d503b1aa0a32dc289f292ed614e.tar.zst
PeerTube-8d4273463fb19d503b1aa0a32dc289f292ed614e.zip
Check follow constraints when getting a video
Diffstat (limited to 'server/middlewares/validators')
-rw-r--r--server/middlewares/validators/videos/videos.ts52
1 files changed, 41 insertions, 11 deletions
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index bf21bca8c..051a19e16 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -31,8 +31,8 @@ import {
31} from '../../../helpers/custom-validators/videos' 31} from '../../../helpers/custom-validators/videos'
32import { getDurationFromVideoFile } from '../../../helpers/ffmpeg-utils' 32import { getDurationFromVideoFile } from '../../../helpers/ffmpeg-utils'
33import { logger } from '../../../helpers/logger' 33import { logger } from '../../../helpers/logger'
34import { CONSTRAINTS_FIELDS } from '../../../initializers' 34import { CONFIG, CONSTRAINTS_FIELDS } from '../../../initializers'
35import { authenticate } from '../../oauth' 35import { authenticatePromiseIfNeeded } from '../../oauth'
36import { areValidationErrors } from '../utils' 36import { areValidationErrors } from '../utils'
37import { cleanUpReqFiles } from '../../../helpers/express-utils' 37import { cleanUpReqFiles } from '../../../helpers/express-utils'
38import { VideoModel } from '../../../models/video/video' 38import { VideoModel } from '../../../models/video/video'
@@ -43,6 +43,7 @@ import { VideoChangeOwnershipModel } from '../../../models/video/video-change-ow
43import { AccountModel } from '../../../models/account/account' 43import { AccountModel } from '../../../models/account/account'
44import { VideoFetchType } from '../../../helpers/video' 44import { VideoFetchType } from '../../../helpers/video'
45import { isNSFWQueryValid, isNumberArray, isStringArray } from '../../../helpers/custom-validators/search' 45import { isNSFWQueryValid, isNumberArray, isStringArray } from '../../../helpers/custom-validators/search'
46import { getServerActor } from '../../../helpers/utils'
46 47
47const videosAddValidator = getCommonVideoAttributes().concat([ 48const videosAddValidator = getCommonVideoAttributes().concat([
48 body('videofile') 49 body('videofile')
@@ -127,6 +128,31 @@ const videosUpdateValidator = getCommonVideoAttributes().concat([
127 } 128 }
128]) 129])
129 130
131async function checkVideoFollowConstraints (req: express.Request, res: express.Response, next: express.NextFunction) {
132 const video: VideoModel = res.locals.video
133
134 // Anybody can watch local videos
135 if (video.isOwned() === true) return next()
136
137 // Logged user
138 if (res.locals.oauth) {
139 // Users can search or watch remote videos
140 if (CONFIG.SEARCH.REMOTE_URI.USERS === true) return next()
141 }
142
143 // Anybody can search or watch remote videos
144 if (CONFIG.SEARCH.REMOTE_URI.ANONYMOUS === true) return next()
145
146 // Check our instance follows an actor that shared this video
147 const serverActor = await getServerActor()
148 if (await VideoModel.checkVideoHasInstanceFollow(video.id, serverActor.id) === true) return next()
149
150 return res.status(403)
151 .json({
152 error: 'Cannot get this video regarding follow constraints.'
153 })
154}
155
130const videosCustomGetValidator = (fetchType: VideoFetchType) => { 156const videosCustomGetValidator = (fetchType: VideoFetchType) => {
131 return [ 157 return [
132 param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), 158 param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
@@ -141,17 +167,20 @@ const videosCustomGetValidator = (fetchType: VideoFetchType) => {
141 167
142 // Video private or blacklisted 168 // Video private or blacklisted
143 if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) { 169 if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) {
144 return authenticate(req, res, () => { 170 await authenticatePromiseIfNeeded(req, res)
145 const user: UserModel = res.locals.oauth.token.User 171
172 const user: UserModel = res.locals.oauth ? res.locals.oauth.token.User : null
146 173
147 // Only the owner or a user that have blacklist rights can see the video 174 // Only the owner or a user that have blacklist rights can see the video
148 if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) { 175 if (
149 return res.status(403) 176 !user ||
150 .json({ error: 'Cannot get this private or blacklisted video.' }) 177 (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST))
151 } 178 ) {
179 return res.status(403)
180 .json({ error: 'Cannot get this private or blacklisted video.' })
181 }
152 182
153 return next() 183 return next()
154 })
155 } 184 }
156 185
157 // Video is public, anyone can access it 186 // Video is public, anyone can access it
@@ -376,6 +405,7 @@ export {
376 videosAddValidator, 405 videosAddValidator,
377 videosUpdateValidator, 406 videosUpdateValidator,
378 videosGetValidator, 407 videosGetValidator,
408 checkVideoFollowConstraints,
379 videosCustomGetValidator, 409 videosCustomGetValidator,
380 videosRemoveValidator, 410 videosRemoveValidator,
381 411