diff options
author | Chocobozzz <me@florianbigard.com> | 2018-08-14 09:08:47 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-08-14 09:27:18 +0200 |
commit | 191764f30b0a812bf3a9dbdc7daf1d5afe25e12a (patch) | |
tree | a5592f8d89949cde832f025e393a3821ad2aca37 /server/middlewares | |
parent | 26b7305a232e547709f433a6edf700bf495935d8 (diff) | |
download | PeerTube-191764f30b0a812bf3a9dbdc7daf1d5afe25e12a.tar.gz PeerTube-191764f30b0a812bf3a9dbdc7daf1d5afe25e12a.tar.zst PeerTube-191764f30b0a812bf3a9dbdc7daf1d5afe25e12a.zip |
Improve blacklist management
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/validators/videos.ts | 33 |
1 files changed, 21 insertions, 12 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index 203a00876..77d601a4d 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts | |||
@@ -35,6 +35,8 @@ import { VideoShareModel } from '../../models/video/video-share' | |||
35 | import { authenticate } from '../oauth' | 35 | import { authenticate } from '../oauth' |
36 | import { areValidationErrors } from './utils' | 36 | import { areValidationErrors } from './utils' |
37 | import { cleanUpReqFiles } from '../../helpers/utils' | 37 | import { cleanUpReqFiles } from '../../helpers/utils' |
38 | import { VideoModel } from '../../models/video/video' | ||
39 | import { UserModel } from '../../models/account/user' | ||
38 | 40 | ||
39 | const videosAddValidator = getCommonVideoAttributes().concat([ | 41 | const videosAddValidator = getCommonVideoAttributes().concat([ |
40 | body('videofile') | 42 | body('videofile') |
@@ -131,7 +133,25 @@ const videosGetValidator = [ | |||
131 | if (areValidationErrors(req, res)) return | 133 | if (areValidationErrors(req, res)) return |
132 | if (!await isVideoExist(req.params.id, res)) return | 134 | if (!await isVideoExist(req.params.id, res)) return |
133 | 135 | ||
134 | const video = res.locals.video | 136 | const video: VideoModel = res.locals.video |
137 | |||
138 | // Video private or blacklisted | ||
139 | if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) { | ||
140 | authenticate(req, res, () => { | ||
141 | const user: UserModel = res.locals.oauth.token.User | ||
142 | |||
143 | // Only the owner or a user that have blacklist rights can see the video | ||
144 | if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) { | ||
145 | return res.status(403) | ||
146 | .json({ error: 'Cannot get this private or blacklisted video.' }) | ||
147 | .end() | ||
148 | } | ||
149 | |||
150 | return next() | ||
151 | }) | ||
152 | |||
153 | return | ||
154 | } | ||
135 | 155 | ||
136 | // Video is public, anyone can access it | 156 | // Video is public, anyone can access it |
137 | if (video.privacy === VideoPrivacy.PUBLIC) return next() | 157 | if (video.privacy === VideoPrivacy.PUBLIC) return next() |
@@ -143,17 +163,6 @@ const videosGetValidator = [ | |||
143 | // Don't leak this unlisted video | 163 | // Don't leak this unlisted video |
144 | return res.status(404).end() | 164 | return res.status(404).end() |
145 | } | 165 | } |
146 | |||
147 | // Video is private, check the user | ||
148 | authenticate(req, res, () => { | ||
149 | if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) { | ||
150 | return res.status(403) | ||
151 | .json({ error: 'Cannot get this private video of another user' }) | ||
152 | .end() | ||
153 | } | ||
154 | |||
155 | return next() | ||
156 | }) | ||
157 | } | 166 | } |
158 | ] | 167 | ] |
159 | 168 | ||