diff options
author | Chocobozzz <me@florianbigard.com> | 2022-02-22 14:16:34 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-02-22 14:16:51 +0100 |
commit | 6ea9295b8f5dd7cc254202a79aad61c666cc4259 (patch) | |
tree | 0345d57eb47c5b5cd0046fee1456b0dc440ae470 /server/middlewares | |
parent | fdd5da058aeffb161202124a129789a3c2bb234c (diff) | |
download | PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.gz PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.zst PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.zip |
Check video privacy when creating comments/rates
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/validators/videos/video-comments.ts | 16 | ||||
-rw-r--r-- | server/middlewares/validators/videos/video-rates.ts | 9 |
2 files changed, 24 insertions, 1 deletions
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts index 91ae31ec2..91e85711d 100644 --- a/server/middlewares/validators/videos/video-comments.ts +++ b/server/middlewares/validators/videos/video-comments.ts | |||
@@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [ | |||
100 | 100 | ||
101 | if (areValidationErrors(req, res)) return | 101 | if (areValidationErrors(req, res)) return |
102 | if (!await doesVideoExist(req.params.videoId, res)) return | 102 | if (!await doesVideoExist(req.params.videoId, res)) return |
103 | |||
104 | if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) { | ||
105 | return res.fail({ | ||
106 | status: HttpStatusCode.FORBIDDEN_403, | ||
107 | message: 'Cannot access to this ressource' | ||
108 | }) | ||
109 | } | ||
110 | |||
103 | if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return | 111 | if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return |
104 | if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return | 112 | if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return |
105 | 113 | ||
@@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [ | |||
119 | 127 | ||
120 | if (areValidationErrors(req, res)) return | 128 | if (areValidationErrors(req, res)) return |
121 | if (!await doesVideoExist(req.params.videoId, res)) return | 129 | if (!await doesVideoExist(req.params.videoId, res)) return |
130 | |||
131 | if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) { | ||
132 | return res.fail({ | ||
133 | status: HttpStatusCode.FORBIDDEN_403, | ||
134 | message: 'Cannot access to this ressource' | ||
135 | }) | ||
136 | } | ||
137 | |||
122 | if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return | 138 | if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return |
123 | if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return | 139 | if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return |
124 | if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return | 140 | if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return |
diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts index 6e0bb0ad1..923bf3eaf 100644 --- a/server/middlewares/validators/videos/video-rates.ts +++ b/server/middlewares/validators/videos/video-rates.ts | |||
@@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates' | |||
8 | import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos' | 8 | import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos' |
9 | import { logger } from '../../../helpers/logger' | 9 | import { logger } from '../../../helpers/logger' |
10 | import { AccountVideoRateModel } from '../../../models/account/account-video-rate' | 10 | import { AccountVideoRateModel } from '../../../models/account/account-video-rate' |
11 | import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared' | 11 | import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared' |
12 | 12 | ||
13 | const videoUpdateRateValidator = [ | 13 | const videoUpdateRateValidator = [ |
14 | isValidVideoIdParam('id'), | 14 | isValidVideoIdParam('id'), |
@@ -21,6 +21,13 @@ const videoUpdateRateValidator = [ | |||
21 | if (areValidationErrors(req, res)) return | 21 | if (areValidationErrors(req, res)) return |
22 | if (!await doesVideoExist(req.params.id, res)) return | 22 | if (!await doesVideoExist(req.params.id, res)) return |
23 | 23 | ||
24 | if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) { | ||
25 | return res.fail({ | ||
26 | status: HttpStatusCode.FORBIDDEN_403, | ||
27 | message: 'Cannot access to this ressource' | ||
28 | }) | ||
29 | } | ||
30 | |||
24 | return next() | 31 | return next() |
25 | } | 32 | } |
26 | ] | 33 | ] |