Server: rights check for update a video

author: Chocobozzz <florian.bigard@gmail.com> 2017-01-11 18:41:09 +0100
committer: Chocobozzz <florian.bigard@gmail.com> 2017-01-11 18:41:09 +0100
commit: 45abb8b97b8313f8f58a4a73b527882ad7b4af9c (patch)
tree: 6b5936d30261334abcafaa16779a32171031a87b /server/middlewares
parent: d8cc063e9775688a1631eda9203411a2dba0333c (diff)
download: PeerTube-45abb8b97b8313f8f58a4a73b527882ad7b4af9c.tar.gz
PeerTube-45abb8b97b8313f8f58a4a73b527882ad7b4af9c.tar.zst
PeerTube-45abb8b97b8313f8f58a4a73b527882ad7b4af9c.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index ff18a99c2..3d7c04b60 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -53,6 +53,14 @@ function videosUpdate (req, res, next) {
  logger.debug('Checking videosUpdate parameters', { parameters: req.body })
  checkErrors(req, res, function () {
+    if (res.locals.video.isOwned() === false) {
+      return res.status(403).send('Cannot update video of another pod')
+    }
+    if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
+      return res.status(403).send('Cannot update video of another user')
+    }
    checkVideoExists(req.params.id, res, next)
  })
 }
author	Chocobozzz <florian.bigard@gmail.com>	2017-01-11 18:41:09 +0100
committer	Chocobozzz <florian.bigard@gmail.com>	2017-01-11 18:41:09 +0100
commit	45abb8b97b8313f8f58a4a73b527882ad7b4af9c (patch)
tree	6b5936d30261334abcafaa16779a32171031a87b /server/middlewares
parent	d8cc063e9775688a1631eda9203411a2dba0333c (diff)
download	PeerTube-45abb8b97b8313f8f58a4a73b527882ad7b4af9c.tar.gz PeerTube-45abb8b97b8313f8f58a4a73b527882ad7b4af9c.tar.zst PeerTube-45abb8b97b8313f8f58a4a73b527882ad7b4af9c.zip

diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js index ff18a99c2..3d7c04b60 100644 --- a/server/middlewares/validators/videos.js +++ b/server/middlewares/validators/videos.js
@@ -53,6 +53,14 @@ function videosUpdate (req, res, next) {
53	logger.debug('Checking videosUpdate parameters', { parameters: req.body })	53	logger.debug('Checking videosUpdate parameters', { parameters: req.body })
54		54
55	checkErrors(req, res, function () {	55	checkErrors(req, res, function () {
		56	if (res.locals.video.isOwned() === false) {
		57	return res.status(403).send('Cannot update video of another pod')
		58	}
		59
		60	if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
		61	return res.status(403).send('Cannot update video of another user')
		62	}
		63
56	checkVideoExists(req.params.id, res, next)	64	checkVideoExists(req.params.id, res, next)
57	})	65	})
58	}	66	}