Server: fix update right checks

author: Chocobozzz <florian.bigard@gmail.com> 2017-01-11 19:15:23 +0100
committer: Chocobozzz <florian.bigard@gmail.com> 2017-01-11 19:15:23 +0100
commit: 63d00f5ded0aad25eeb50111da65b6daa46bcb24 (patch)
tree: 507bc5e55564445fd43b5940bd466b62633aea4a /server/middlewares
parent: edc5e86006bf5e4a2819c380bb65734fe9caa87e (diff)
download: PeerTube-63d00f5ded0aad25eeb50111da65b6daa46bcb24.tar.gz
PeerTube-63d00f5ded0aad25eeb50111da65b6daa46bcb24.tar.zst
PeerTube-63d00f5ded0aad25eeb50111da65b6daa46bcb24.zip
1 files changed, 10 insertions, 7 deletions
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 3d7c04b60..4fe6dcd8b 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -53,15 +53,18 @@ function videosUpdate (req, res, next) {
  logger.debug('Checking videosUpdate parameters', { parameters: req.body })
  checkErrors(req, res, function () {
-    if (res.locals.video.isOwned() === false) {
+    checkVideoExists(req.params.id, res, function () {
-      return res.status(403).send('Cannot update video of another pod')
+      // We need to make additional checks
-    }
+      if (res.locals.video.isOwned() === false) {
+        return res.status(403).send('Cannot update video of another pod')
+      }
-    if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
+      if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
-      return res.status(403).send('Cannot update video of another user')
+        return res.status(403).send('Cannot update video of another user')
-    }
+      }
-    checkVideoExists(req.params.id, res, next)
+      next()
+    })
  })
 }
author	Chocobozzz <florian.bigard@gmail.com>	2017-01-11 19:15:23 +0100
committer	Chocobozzz <florian.bigard@gmail.com>	2017-01-11 19:15:23 +0100
commit	63d00f5ded0aad25eeb50111da65b6daa46bcb24 (patch)
tree	507bc5e55564445fd43b5940bd466b62633aea4a /server/middlewares
parent	edc5e86006bf5e4a2819c380bb65734fe9caa87e (diff)
download	PeerTube-63d00f5ded0aad25eeb50111da65b6daa46bcb24.tar.gz PeerTube-63d00f5ded0aad25eeb50111da65b6daa46bcb24.tar.zst PeerTube-63d00f5ded0aad25eeb50111da65b6daa46bcb24.zip

diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js index 3d7c04b60..4fe6dcd8b 100644 --- a/server/middlewares/validators/videos.js +++ b/server/middlewares/validators/videos.js
@@ -53,15 +53,18 @@ function videosUpdate (req, res, next) {
53	logger.debug('Checking videosUpdate parameters', { parameters: req.body })	53	logger.debug('Checking videosUpdate parameters', { parameters: req.body })
54		54
55	checkErrors(req, res, function () {	55	checkErrors(req, res, function () {
56	if (res.locals.video.isOwned() === false) {	56	checkVideoExists(req.params.id, res, function () {
57	return res.status(403).send('Cannot update video of another pod')	57	// We need to make additional checks
58	}	58	if (res.locals.video.isOwned() === false) {
		59	return res.status(403).send('Cannot update video of another pod')
		60	}
59		61
60	if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {	62	if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
61	return res.status(403).send('Cannot update video of another user')	63	return res.status(403).send('Cannot update video of another user')
62	}	64	}
63		65
64	checkVideoExists(req.params.id, res, next)	66	next()
		67	})
65	})	68	})
66	}	69	}
67		70