aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-02-22 14:16:34 +0100
committerChocobozzz <me@florianbigard.com>2022-02-22 14:16:51 +0100
commit6ea9295b8f5dd7cc254202a79aad61c666cc4259 (patch)
tree0345d57eb47c5b5cd0046fee1456b0dc440ae470 /server/middlewares
parentfdd5da058aeffb161202124a129789a3c2bb234c (diff)
downloadPeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.gz
PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.zst
PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.zip
Check video privacy when creating comments/rates
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/validators/videos/video-comments.ts16
-rw-r--r--server/middlewares/validators/videos/video-rates.ts9
2 files changed, 24 insertions, 1 deletions
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index 91ae31ec2..91e85711d 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [
100 100
101 if (areValidationErrors(req, res)) return 101 if (areValidationErrors(req, res)) return
102 if (!await doesVideoExist(req.params.videoId, res)) return 102 if (!await doesVideoExist(req.params.videoId, res)) return
103
104 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
105 return res.fail({
106 status: HttpStatusCode.FORBIDDEN_403,
107 message: 'Cannot access to this ressource'
108 })
109 }
110
103 if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return 111 if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
104 if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return 112 if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
105 113
@@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [
119 127
120 if (areValidationErrors(req, res)) return 128 if (areValidationErrors(req, res)) return
121 if (!await doesVideoExist(req.params.videoId, res)) return 129 if (!await doesVideoExist(req.params.videoId, res)) return
130
131 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
132 return res.fail({
133 status: HttpStatusCode.FORBIDDEN_403,
134 message: 'Cannot access to this ressource'
135 })
136 }
137
122 if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return 138 if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
123 if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return 139 if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
124 if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return 140 if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts
index 6e0bb0ad1..923bf3eaf 100644
--- a/server/middlewares/validators/videos/video-rates.ts
+++ b/server/middlewares/validators/videos/video-rates.ts
@@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
8import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos' 8import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
9import { logger } from '../../../helpers/logger' 9import { logger } from '../../../helpers/logger'
10import { AccountVideoRateModel } from '../../../models/account/account-video-rate' 10import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
11import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared' 11import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared'
12 12
13const videoUpdateRateValidator = [ 13const videoUpdateRateValidator = [
14 isValidVideoIdParam('id'), 14 isValidVideoIdParam('id'),
@@ -21,6 +21,13 @@ const videoUpdateRateValidator = [
21 if (areValidationErrors(req, res)) return 21 if (areValidationErrors(req, res)) return
22 if (!await doesVideoExist(req.params.id, res)) return 22 if (!await doesVideoExist(req.params.id, res)) return
23 23
24 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
25 return res.fail({
26 status: HttpStatusCode.FORBIDDEN_403,
27 message: 'Cannot access to this ressource'
28 })
29 }
30
24 return next() 31 return next()
25 } 32 }
26] 33]