Add ability to update another user video

author: Chocobozzz <me@florianbigard.com> 2018-02-22 09:03:45 +0100
committer: Chocobozzz <me@florianbigard.com> 2018-02-22 09:03:45 +0100
commit: 6221f311de0eb8f2a9e7e4a77b8cb0ecbde6dfcd (patch)
tree: 895e833221877e5f2c4bf291a7cd1bda05cf8865 /server/middlewares
parent: 9f4183c9b57acd382668d49e86b0001bcd55550f (diff)
download: PeerTube-6221f311de0eb8f2a9e7e4a77b8cb0ecbde6dfcd.tar.gz
PeerTube-6221f311de0eb8f2a9e7e4a77b8cb0ecbde6dfcd.tar.zst
PeerTube-6221f311de0eb8f2a9e7e4a77b8cb0ecbde6dfcd.zip
1 files changed, 5 insertions, 15 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index e91739f81..1dc8429c8 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -130,18 +130,8 @@ const videosUpdateValidator = [
    const video = res.locals.video
-    // We need to make additional checks
+    // Check if the user who did the request is able to update the video
-    if (video.isOwned() === false) {
+    if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.UPDATE_ANY_VIDEO, res)) return
-      return res.status(403)
-                .json({ error: 'Cannot update video of another server' })
-                .end()
-    }
-    if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
-      return res.status(403)
-                .json({ error: 'Cannot update video of another user' })
-                .end()
-    }
    if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) {
      return res.status(409)
@@ -198,7 +188,7 @@ const videosRemoveValidator = [
    if (!await isVideoExist(req.params.id, res)) return
    // Check if the user who did the request is able to delete the video
-    if (!checkUserCanDeleteVideo(res.locals.oauth.token.User, res.locals.video, res)) return
+    if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.REMOVE_ANY_VIDEO, res)) return
    return next()
  }
@@ -282,7 +272,7 @@ export {
 // ---------------------------------------------------------------------------
-function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: express.Response) {
+function checkUserCanManageVideo (user: UserModel, video: VideoModel, right: UserRight, res: express.Response) {
  // Retrieve the user who did the request
  if (video.isOwned() === false) {
    res.status(403)
@@ -295,7 +285,7 @@ function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: expre
  // The user can delete it if he has the right
  // Or if s/he is the video's account
  const account = video.VideoChannel.Account
-  if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) {
+  if (user.hasRight(right) === false && account.userId !== user.id) {
    res.status(403)
              .json({ error: 'Cannot remove video of another user' })
              .end()
author	Chocobozzz <me@florianbigard.com>	2018-02-22 09:03:45 +0100
committer	Chocobozzz <me@florianbigard.com>	2018-02-22 09:03:45 +0100
commit	6221f311de0eb8f2a9e7e4a77b8cb0ecbde6dfcd (patch)
tree	895e833221877e5f2c4bf291a7cd1bda05cf8865 /server/middlewares
parent	9f4183c9b57acd382668d49e86b0001bcd55550f (diff)
download	PeerTube-6221f311de0eb8f2a9e7e4a77b8cb0ecbde6dfcd.tar.gz PeerTube-6221f311de0eb8f2a9e7e4a77b8cb0ecbde6dfcd.tar.zst PeerTube-6221f311de0eb8f2a9e7e4a77b8cb0ecbde6dfcd.zip