diff options
author | Chocobozzz <me@florianbigard.com> | 2020-04-21 09:01:39 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2020-04-21 09:01:39 +0200 |
commit | 68b6fd21b19ef17274e84dbb21ad7cfb7bc6c36a (patch) | |
tree | 81fa180f180f2cc3a2a7ec665a568acc8df3ce57 /server | |
parent | b3af2601da92a6c0835cb2473b4c7a41a0d86e98 (diff) | |
download | PeerTube-68b6fd21b19ef17274e84dbb21ad7cfb7bc6c36a.tar.gz PeerTube-68b6fd21b19ef17274e84dbb21ad7cfb7bc6c36a.tar.zst PeerTube-68b6fd21b19ef17274e84dbb21ad7cfb7bc6c36a.zip |
Don't leak unlisted videos in comments feed
Diffstat (limited to 'server')
-rw-r--r-- | server/controllers/feeds.ts | 4 | ||||
-rw-r--r-- | server/models/video/video-comment.ts | 6 | ||||
-rw-r--r-- | server/tests/feeds/feeds.ts | 12 |
3 files changed, 18 insertions, 4 deletions
diff --git a/server/controllers/feeds.ts b/server/controllers/feeds.ts index 72628dffb..cb82bfc6d 100644 --- a/server/controllers/feeds.ts +++ b/server/controllers/feeds.ts | |||
@@ -67,7 +67,7 @@ async function generateVideoCommentsFeed (req: express.Request, res: express.Res | |||
67 | const feed = initFeed(name, description) | 67 | const feed = initFeed(name, description) |
68 | 68 | ||
69 | // Adding video items to the feed, one at a time | 69 | // Adding video items to the feed, one at a time |
70 | comments.forEach(comment => { | 70 | for (const comment of comments) { |
71 | const link = WEBSERVER.URL + comment.getCommentStaticPath() | 71 | const link = WEBSERVER.URL + comment.getCommentStaticPath() |
72 | 72 | ||
73 | let title = comment.Video.name | 73 | let title = comment.Video.name |
@@ -89,7 +89,7 @@ async function generateVideoCommentsFeed (req: express.Request, res: express.Res | |||
89 | author, | 89 | author, |
90 | date: comment.createdAt | 90 | date: comment.createdAt |
91 | }) | 91 | }) |
92 | }) | 92 | } |
93 | 93 | ||
94 | // Now the feed generation is done, let's send it! | 94 | // Now the feed generation is done, let's send it! |
95 | return sendFeed(feed, req, res) | 95 | return sendFeed(feed, req, res) |
diff --git a/server/models/video/video-comment.ts b/server/models/video/video-comment.ts index b33c33d5e..aedd7a3a9 100644 --- a/server/models/video/video-comment.ts +++ b/server/models/video/video-comment.ts | |||
@@ -27,6 +27,7 @@ import { | |||
27 | MCommentOwnerVideoReply | 27 | MCommentOwnerVideoReply |
28 | } from '../../typings/models/video' | 28 | } from '../../typings/models/video' |
29 | import { MUserAccountId } from '@server/typings/models' | 29 | import { MUserAccountId } from '@server/typings/models' |
30 | import { VideoPrivacy } from '@shared/models' | ||
30 | 31 | ||
31 | enum ScopeNames { | 32 | enum ScopeNames { |
32 | WITH_ACCOUNT = 'WITH_ACCOUNT', | 33 | WITH_ACCOUNT = 'WITH_ACCOUNT', |
@@ -390,7 +391,10 @@ export class VideoCommentModel extends Model<VideoCommentModel> { | |||
390 | { | 391 | { |
391 | attributes: [ 'name', 'uuid' ], | 392 | attributes: [ 'name', 'uuid' ], |
392 | model: VideoModel.unscoped(), | 393 | model: VideoModel.unscoped(), |
393 | required: true | 394 | required: true, |
395 | where: { | ||
396 | privacy: VideoPrivacy.PUBLIC | ||
397 | } | ||
394 | } | 398 | } |
395 | ] | 399 | ] |
396 | } | 400 | } |
diff --git a/server/tests/feeds/feeds.ts b/server/tests/feeds/feeds.ts index 4510177cc..d978123cf 100644 --- a/server/tests/feeds/feeds.ts +++ b/server/tests/feeds/feeds.ts | |||
@@ -19,6 +19,7 @@ import * as libxmljs from 'libxmljs' | |||
19 | import { addVideoCommentThread } from '../../../shared/extra-utils/videos/video-comments' | 19 | import { addVideoCommentThread } from '../../../shared/extra-utils/videos/video-comments' |
20 | import { waitJobs } from '../../../shared/extra-utils/server/jobs' | 20 | import { waitJobs } from '../../../shared/extra-utils/server/jobs' |
21 | import { User } from '../../../shared/models/users' | 21 | import { User } from '../../../shared/models/users' |
22 | import { VideoPrivacy } from '@shared/models' | ||
22 | 23 | ||
23 | chai.use(require('chai-xml')) | 24 | chai.use(require('chai-xml')) |
24 | chai.use(require('chai-json-schema')) | 25 | chai.use(require('chai-json-schema')) |
@@ -77,6 +78,14 @@ describe('Test syndication feeds', () => { | |||
77 | await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'super comment 2') | 78 | await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'super comment 2') |
78 | } | 79 | } |
79 | 80 | ||
81 | { | ||
82 | const videoAttributes = { name: 'unlisted video', privacy: VideoPrivacy.UNLISTED } | ||
83 | const res = await uploadVideo(servers[0].url, servers[0].accessToken, videoAttributes) | ||
84 | const videoId = res.body.video.id | ||
85 | |||
86 | await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'comment on unlisted video') | ||
87 | } | ||
88 | |||
80 | await waitJobs(servers) | 89 | await waitJobs(servers) |
81 | }) | 90 | }) |
82 | 91 | ||
@@ -196,7 +205,8 @@ describe('Test syndication feeds', () => { | |||
196 | }) | 205 | }) |
197 | 206 | ||
198 | describe('Video comments feed', function () { | 207 | describe('Video comments feed', function () { |
199 | it('Should contain valid comments (covers JSON feed 1.0 endpoint)', async function () { | 208 | |
209 | it('Should contain valid comments (covers JSON feed 1.0 endpoint) and not from unlisted videos', async function () { | ||
200 | for (const server of servers) { | 210 | for (const server of servers) { |
201 | const json = await getJSONfeed(server.url, 'video-comments') | 211 | const json = await getJSONfeed(server.url, 'video-comments') |
202 | 212 | ||