aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
authorChocobozzz <florian.bigard@gmail.com>2017-10-31 15:20:35 +0100
committerChocobozzz <florian.bigard@gmail.com>2017-10-31 15:32:10 +0100
commit11474c3cd904fa0fc07fc0a3a9a35496da17f300 (patch)
tree945bb2cdc11548c80706dbf7f0db4fa0edabbee0 /server/middlewares
parentfd45e8f43c2638478599ca75632518054461da85 (diff)
downloadPeerTube-11474c3cd904fa0fc07fc0a3a9a35496da17f300.tar.gz
PeerTube-11474c3cd904fa0fc07fc0a3a9a35496da17f300.tar.zst
PeerTube-11474c3cd904fa0fc07fc0a3a9a35496da17f300.zip
Add tests and fix bugs for video privacy
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/validators/videos.ts63
1 files changed, 37 insertions, 26 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index e197d4606..15b4629c1 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -24,6 +24,7 @@ import {
24 isVideoPrivacyValid 24 isVideoPrivacyValid
25} from '../../helpers' 25} from '../../helpers'
26import { UserRight, VideoPrivacy } from '../../../shared' 26import { UserRight, VideoPrivacy } from '../../../shared'
27import { authenticate } from '../oauth'
27 28
28const videosAddValidator = [ 29const videosAddValidator = [
29 body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage( 30 body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage(
@@ -112,7 +113,7 @@ const videosUpdateValidator = [
112 body('licence').optional().custom(isVideoLicenceValid).withMessage('Should have a valid licence'), 113 body('licence').optional().custom(isVideoLicenceValid).withMessage('Should have a valid licence'),
113 body('language').optional().custom(isVideoLanguageValid).withMessage('Should have a valid language'), 114 body('language').optional().custom(isVideoLanguageValid).withMessage('Should have a valid language'),
114 body('nsfw').optional().custom(isVideoNSFWValid).withMessage('Should have a valid NSFW attribute'), 115 body('nsfw').optional().custom(isVideoNSFWValid).withMessage('Should have a valid NSFW attribute'),
115 body('privacy').custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'), 116 body('privacy').optional().custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'),
116 body('description').optional().custom(isVideoDescriptionValid).withMessage('Should have a valid description'), 117 body('description').optional().custom(isVideoDescriptionValid).withMessage('Should have a valid description'),
117 body('tags').optional().custom(isVideoTagsValid).withMessage('Should have correct tags'), 118 body('tags').optional().custom(isVideoTagsValid).withMessage('Should have correct tags'),
118 119
@@ -155,7 +156,22 @@ const videosGetValidator = [
155 logger.debug('Checking videosGet parameters', { parameters: req.params }) 156 logger.debug('Checking videosGet parameters', { parameters: req.params })
156 157
157 checkErrors(req, res, () => { 158 checkErrors(req, res, () => {
158 checkVideoExists(req.params.id, res, next) 159 checkVideoExists(req.params.id, res, () => {
160 const video = res.locals.video
161
162 // Video is not private, anyone can access it
163 if (video.privacy !== VideoPrivacy.PRIVATE) return next()
164
165 authenticate(req, res, () => {
166 if (video.VideoChannel.Author.userId !== res.locals.oauth.token.User.id) {
167 return res.status(403)
168 .json({ error: 'Cannot get this private video of another user' })
169 .end()
170 }
171
172 next()
173 })
174 })
159 }) 175 })
160 } 176 }
161] 177]
@@ -232,28 +248,23 @@ export {
232 248
233function checkUserCanDeleteVideo (userId: number, res: express.Response, callback: () => void) { 249function checkUserCanDeleteVideo (userId: number, res: express.Response, callback: () => void) {
234 // Retrieve the user who did the request 250 // Retrieve the user who did the request
235 db.User.loadById(userId) 251 if (res.locals.video.isOwned() === false) {
236 .then(user => { 252 return res.status(403)
237 if (res.locals.video.isOwned() === false) { 253 .json({ error: 'Cannot remove video of another pod, blacklist it' })
238 return res.status(403) 254 .end()
239 .json({ error: 'Cannot remove video of another pod, blacklist it' }) 255 }
240 .end() 256
241 } 257 // Check if the user can delete the video
242 258 // The user can delete it if s/he is an admin
243 // Check if the user can delete the video 259 // Or if s/he is the video's author
244 // The user can delete it if s/he is an admin 260 const author = res.locals.video.VideoChannel.Author
245 // Or if s/he is the video's author 261 const user = res.locals.oauth.token.User
246 if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { 262 if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && author.userId !== user.id) {
247 return res.status(403) 263 return res.status(403)
248 .json({ error: 'Cannot remove video of another user' }) 264 .json({ error: 'Cannot remove video of another user' })
249 .end() 265 .end()
250 } 266 }
251 267
252 // If we reach this comment, we can delete the video 268 // If we reach this comment, we can delete the video
253 callback() 269 callback()
254 })
255 .catch(err => {
256 logger.error('Error in video request validator.', err)
257 return res.sendStatus(500)
258 })
259} 270}