Check video privacy when creating comments/rates

author: Chocobozzz <me@florianbigard.com> 2022-02-22 14:16:34 +0100
committer: Chocobozzz <me@florianbigard.com> 2022-02-22 14:16:51 +0100
commit: 6ea9295b8f5dd7cc254202a79aad61c666cc4259 (patch)
tree: 0345d57eb47c5b5cd0046fee1456b0dc440ae470 /server/middlewares
parent: fdd5da058aeffb161202124a129789a3c2bb234c (diff)
download: PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.gz
PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.zst
PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.zip
2 files changed, 24 insertions, 1 deletions
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index 91ae31ec2..91e85711d 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [
    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res)) return
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot access to this ressource'
+      })
+    }
    if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
    if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
@@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [
    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res)) return
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot access to this ressource'
+      })
+    }
    if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
    if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
    if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts
index 6e0bb0ad1..923bf3eaf 100644
--- a/server/middlewares/validators/videos/video-rates.ts
+++ b/server/middlewares/validators/videos/video-rates.ts
@@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
 import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
 import { logger } from '../../../helpers/logger'
 import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
-import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared'
+import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared'
 const videoUpdateRateValidator = [
  isValidVideoIdParam('id'),
@@ -21,6 +21,13 @@ const videoUpdateRateValidator = [
    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.id, res)) return
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot access to this ressource'
+      })
+    }
    return next()
  }
 ]
author	Chocobozzz <me@florianbigard.com>	2022-02-22 14:16:34 +0100
committer	Chocobozzz <me@florianbigard.com>	2022-02-22 14:16:51 +0100
commit	6ea9295b8f5dd7cc254202a79aad61c666cc4259 (patch)
tree	0345d57eb47c5b5cd0046fee1456b0dc440ae470 /server/middlewares
parent	fdd5da058aeffb161202124a129789a3c2bb234c (diff)
download	PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.gz PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.zst PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.zip