diff options
author | Chocobozzz <me@florianbigard.com> | 2022-06-22 14:03:50 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-06-22 14:03:50 +0200 |
commit | 2c2befaacaa7063df0d4557b71c187ee168a8eb6 (patch) | |
tree | ed31dba97ff754d6d20f32bf7eec10e580afa121 /server | |
parent | ff9d43f62a4f4737c5bfe955883b48c5440f323a (diff) | |
download | PeerTube-2c2befaacaa7063df0d4557b71c187ee168a8eb6.tar.gz PeerTube-2c2befaacaa7063df0d4557b71c187ee168a8eb6.tar.zst PeerTube-2c2befaacaa7063df0d4557b71c187ee168a8eb6.zip |
Fix video right check
Diffstat (limited to 'server')
-rw-r--r-- | server/middlewares/auth.ts | 4 | ||||
-rw-r--r-- | server/middlewares/validators/shared/videos.ts | 13 | ||||
-rw-r--r-- | server/middlewares/validators/videos/video-playlists.ts | 4 | ||||
-rw-r--r-- | server/tests/api/videos/video-privacy.ts | 2 |
4 files changed, 12 insertions, 11 deletions
diff --git a/server/middlewares/auth.ts b/server/middlewares/auth.ts index c5424be97..ad3b24ab2 100644 --- a/server/middlewares/auth.ts +++ b/server/middlewares/auth.ts | |||
@@ -47,7 +47,7 @@ function authenticateSocket (socket: Socket, next: (err?: any) => void) { | |||
47 | .catch(err => logger.error('Cannot get access token.', { err })) | 47 | .catch(err => logger.error('Cannot get access token.', { err })) |
48 | } | 48 | } |
49 | 49 | ||
50 | function authenticatePromiseIfNeeded (req: express.Request, res: express.Response, authenticateInQuery = false) { | 50 | function authenticatePromise (req: express.Request, res: express.Response, authenticateInQuery = false) { |
51 | return new Promise<void>(resolve => { | 51 | return new Promise<void>(resolve => { |
52 | // Already authenticated? (or tried to) | 52 | // Already authenticated? (or tried to) |
53 | if (res.locals.oauth?.token.User) return resolve() | 53 | if (res.locals.oauth?.token.User) return resolve() |
@@ -76,6 +76,6 @@ function optionalAuthenticate (req: express.Request, res: express.Response, next | |||
76 | export { | 76 | export { |
77 | authenticate, | 77 | authenticate, |
78 | authenticateSocket, | 78 | authenticateSocket, |
79 | authenticatePromiseIfNeeded, | 79 | authenticatePromise, |
80 | optionalAuthenticate | 80 | optionalAuthenticate |
81 | } | 81 | } |
diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts index 39aab6df7..2c2ae3811 100644 --- a/server/middlewares/validators/shared/videos.ts +++ b/server/middlewares/validators/shared/videos.ts | |||
@@ -2,7 +2,7 @@ import { Request, Response } from 'express' | |||
2 | import { isUUIDValid } from '@server/helpers/custom-validators/misc' | 2 | import { isUUIDValid } from '@server/helpers/custom-validators/misc' |
3 | import { loadVideo, VideoLoadType } from '@server/lib/model-loaders' | 3 | import { loadVideo, VideoLoadType } from '@server/lib/model-loaders' |
4 | import { isAbleToUploadVideo } from '@server/lib/user' | 4 | import { isAbleToUploadVideo } from '@server/lib/user' |
5 | import { authenticatePromiseIfNeeded } from '@server/middlewares/auth' | 5 | import { authenticatePromise } from '@server/middlewares/auth' |
6 | import { VideoModel } from '@server/models/video/video' | 6 | import { VideoModel } from '@server/models/video/video' |
7 | import { VideoChannelModel } from '@server/models/video/video-channel' | 7 | import { VideoChannelModel } from '@server/models/video/video-channel' |
8 | import { VideoFileModel } from '@server/models/video/video-file' | 8 | import { VideoFileModel } from '@server/models/video/video-file' |
@@ -137,7 +137,7 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI | |||
137 | return false | 137 | return false |
138 | } | 138 | } |
139 | 139 | ||
140 | await authenticatePromiseIfNeeded(req, res, authenticateInQuery) | 140 | await authenticatePromise(req, res, authenticateInQuery) |
141 | 141 | ||
142 | const user = res.locals.oauth?.token.User | 142 | const user = res.locals.oauth?.token.User |
143 | if (!user) return fail() | 143 | if (!user) return fail() |
@@ -154,14 +154,15 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI | |||
154 | } | 154 | } |
155 | 155 | ||
156 | const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id | 156 | const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id |
157 | if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) { | 157 | |
158 | if (isOwnedByUser && user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true | 158 | if (videoWithRights.isBlacklisted()) { |
159 | if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true | ||
159 | 160 | ||
160 | return fail() | 161 | return fail() |
161 | } | 162 | } |
162 | 163 | ||
163 | if (videoWithRights.isBlacklisted()) { | 164 | if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) { |
164 | if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true | 165 | if (isOwnedByUser || user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true |
165 | 166 | ||
166 | return fail() | 167 | return fail() |
167 | } | 168 | } |
diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts index 241b9ed7b..d514ae0ad 100644 --- a/server/middlewares/validators/videos/video-playlists.ts +++ b/server/middlewares/validators/videos/video-playlists.ts | |||
@@ -33,7 +33,7 @@ import { logger } from '../../../helpers/logger' | |||
33 | import { CONSTRAINTS_FIELDS } from '../../../initializers/constants' | 33 | import { CONSTRAINTS_FIELDS } from '../../../initializers/constants' |
34 | import { VideoPlaylistElementModel } from '../../../models/video/video-playlist-element' | 34 | import { VideoPlaylistElementModel } from '../../../models/video/video-playlist-element' |
35 | import { MVideoPlaylist } from '../../../types/models/video/video-playlist' | 35 | import { MVideoPlaylist } from '../../../types/models/video/video-playlist' |
36 | import { authenticatePromiseIfNeeded } from '../../auth' | 36 | import { authenticatePromise } from '../../auth' |
37 | import { | 37 | import { |
38 | areValidationErrors, | 38 | areValidationErrors, |
39 | doesVideoChannelIdExist, | 39 | doesVideoChannelIdExist, |
@@ -161,7 +161,7 @@ const videoPlaylistsGetValidator = (fetchType: VideoPlaylistFetchType) => { | |||
161 | } | 161 | } |
162 | 162 | ||
163 | if (videoPlaylist.privacy === VideoPlaylistPrivacy.PRIVATE) { | 163 | if (videoPlaylist.privacy === VideoPlaylistPrivacy.PRIVATE) { |
164 | await authenticatePromiseIfNeeded(req, res) | 164 | await authenticatePromise(req, res) |
165 | 165 | ||
166 | const user = res.locals.oauth ? res.locals.oauth.token.User : null | 166 | const user = res.locals.oauth ? res.locals.oauth.token.User : null |
167 | 167 | ||
diff --git a/server/tests/api/videos/video-privacy.ts b/server/tests/api/videos/video-privacy.ts index 3051a443d..1073aee8c 100644 --- a/server/tests/api/videos/video-privacy.ts +++ b/server/tests/api/videos/video-privacy.ts | |||
@@ -162,7 +162,7 @@ describe('Test video privacy', function () { | |||
162 | }) | 162 | }) |
163 | 163 | ||
164 | it('Should not be able to get this unlisted video using its id', async function () { | 164 | it('Should not be able to get this unlisted video using its id', async function () { |
165 | await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.NOT_FOUND_404 }) | 165 | await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 }) |
166 | }) | 166 | }) |
167 | 167 | ||
168 | it('Should be able to get this unlisted video using its uuid/shortUUID', async function () { | 168 | it('Should be able to get this unlisted video using its uuid/shortUUID', async function () { |