Merge branch 'release/4.0.0' into develop

2 files changed, 55 insertions, 1 deletions

diff --git a/server/tests/api/check-params/video-captions.ts b/server/tests/api/check-params/video-captions.ts
index 8a8840793..9881df80c 100644
--- a/server/tests/api/check-params/video-captions.ts
+++ b/server/tests/api/check-params/video-captions.ts
@@ -2,7 +2,7 @@
 
 import 'mocha'
 import { buildAbsoluteFixturePath } from '@shared/core-utils'
-import { HttpStatusCode, VideoCreateResult } from '@shared/models'
+import { HttpStatusCode, VideoCreateResult, VideoPrivacy } from '@shared/models'
 import {
   cleanupTests,
   createSingleServer,
@@ -19,6 +19,7 @@ describe('Test video captions API validator', function () {
   let server: PeerTubeServer
   let userAccessToken: string
   let video: VideoCreateResult
+  let privateVideo: VideoCreateResult
 
   // ---------------------------------------------------------------
 
@@ -30,6 +31,7 @@ describe('Test video captions API validator', function () {
     await setAccessTokensToServers([ server ])
 
     video = await server.videos.upload()
+    privateVideo = await server.videos.upload({ attributes: { privacy: VideoPrivacy.PRIVATE } })
 
     {
       const user = {
@@ -204,8 +206,32 @@ describe('Test video captions API validator', function () {
       })
     })
 
+    it('Should fail with a private video without token', async function () {
+      await makeGetRequest({
+        url: server.url,
+        path: path + privateVideo.shortUUID + '/captions',
+        expectedStatus: HttpStatusCode.UNAUTHORIZED_401
+      })
+    })
+
+    it('Should fail with another user token', async function () {
+      await makeGetRequest({
+        url: server.url,
+        token: userAccessToken,
+        path: path + privateVideo.shortUUID + '/captions',
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
     it('Should success with the correct parameters', async function () {
       await makeGetRequest({ url: server.url, path: path + video.shortUUID + '/captions', expectedStatus: HttpStatusCode.OK_200 })
+
+      await makeGetRequest({
+        url: server.url,
+        path: path + privateVideo.shortUUID + '/captions',
+        token: server.accessToken,
+        expectedStatus: HttpStatusCode.OK_200
+      })
     })
   })
 
diff --git a/server/tests/api/check-params/video-imports.ts b/server/tests/api/check-params/video-imports.ts
index ddea68db4..da05793a0 100644
--- a/server/tests/api/check-params/video-imports.ts
+++ b/server/tests/api/check-params/video-imports.ts
@@ -105,6 +105,34 @@ describe('Test video imports API validator', function () {
       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
     })
 
+    it('Should fail with localhost', async function () {
+      const fields = { ...baseCorrectParams, targetUrl: 'http://localhost:8000' }
+
+      await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
+    })
+
+    it('Should fail with a private IP target urls', async function () {
+      const targetUrls = [
+        'http://127.0.0.1:8000',
+        'http://127.0.0.1',
+        'http://127.0.0.1/hello',
+        'https://192.168.1.42',
+        'http://192.168.1.42'
+      ]
+
+      for (const targetUrl of targetUrls) {
+        const fields = { ...baseCorrectParams, targetUrl }
+
+        await makePostBodyRequest({
+          url: server.url,
+          path,
+          token: server.accessToken,
+          fields,
+          expectedStatus: HttpStatusCode.FORBIDDEN_403
+        })
+      }
+    })
+
     it('Should fail with a long name', async function () {
       const fields = { ...baseCorrectParams, name: 'super'.repeat(65) }