aboutsummaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2020-04-21 09:01:39 +0200
committerChocobozzz <me@florianbigard.com>2020-04-21 09:01:39 +0200
commit68b6fd21b19ef17274e84dbb21ad7cfb7bc6c36a (patch)
tree81fa180f180f2cc3a2a7ec665a568acc8df3ce57 /server
parentb3af2601da92a6c0835cb2473b4c7a41a0d86e98 (diff)
downloadPeerTube-68b6fd21b19ef17274e84dbb21ad7cfb7bc6c36a.tar.gz
PeerTube-68b6fd21b19ef17274e84dbb21ad7cfb7bc6c36a.tar.zst
PeerTube-68b6fd21b19ef17274e84dbb21ad7cfb7bc6c36a.zip
Don't leak unlisted videos in comments feed
Diffstat (limited to 'server')
-rw-r--r--server/controllers/feeds.ts4
-rw-r--r--server/models/video/video-comment.ts6
-rw-r--r--server/tests/feeds/feeds.ts12
3 files changed, 18 insertions, 4 deletions
diff --git a/server/controllers/feeds.ts b/server/controllers/feeds.ts
index 72628dffb..cb82bfc6d 100644
--- a/server/controllers/feeds.ts
+++ b/server/controllers/feeds.ts
@@ -67,7 +67,7 @@ async function generateVideoCommentsFeed (req: express.Request, res: express.Res
67 const feed = initFeed(name, description) 67 const feed = initFeed(name, description)
68 68
69 // Adding video items to the feed, one at a time 69 // Adding video items to the feed, one at a time
70 comments.forEach(comment => { 70 for (const comment of comments) {
71 const link = WEBSERVER.URL + comment.getCommentStaticPath() 71 const link = WEBSERVER.URL + comment.getCommentStaticPath()
72 72
73 let title = comment.Video.name 73 let title = comment.Video.name
@@ -89,7 +89,7 @@ async function generateVideoCommentsFeed (req: express.Request, res: express.Res
89 author, 89 author,
90 date: comment.createdAt 90 date: comment.createdAt
91 }) 91 })
92 }) 92 }
93 93
94 // Now the feed generation is done, let's send it! 94 // Now the feed generation is done, let's send it!
95 return sendFeed(feed, req, res) 95 return sendFeed(feed, req, res)
diff --git a/server/models/video/video-comment.ts b/server/models/video/video-comment.ts
index b33c33d5e..aedd7a3a9 100644
--- a/server/models/video/video-comment.ts
+++ b/server/models/video/video-comment.ts
@@ -27,6 +27,7 @@ import {
27 MCommentOwnerVideoReply 27 MCommentOwnerVideoReply
28} from '../../typings/models/video' 28} from '../../typings/models/video'
29import { MUserAccountId } from '@server/typings/models' 29import { MUserAccountId } from '@server/typings/models'
30import { VideoPrivacy } from '@shared/models'
30 31
31enum ScopeNames { 32enum ScopeNames {
32 WITH_ACCOUNT = 'WITH_ACCOUNT', 33 WITH_ACCOUNT = 'WITH_ACCOUNT',
@@ -390,7 +391,10 @@ export class VideoCommentModel extends Model<VideoCommentModel> {
390 { 391 {
391 attributes: [ 'name', 'uuid' ], 392 attributes: [ 'name', 'uuid' ],
392 model: VideoModel.unscoped(), 393 model: VideoModel.unscoped(),
393 required: true 394 required: true,
395 where: {
396 privacy: VideoPrivacy.PUBLIC
397 }
394 } 398 }
395 ] 399 ]
396 } 400 }
diff --git a/server/tests/feeds/feeds.ts b/server/tests/feeds/feeds.ts
index 4510177cc..d978123cf 100644
--- a/server/tests/feeds/feeds.ts
+++ b/server/tests/feeds/feeds.ts
@@ -19,6 +19,7 @@ import * as libxmljs from 'libxmljs'
19import { addVideoCommentThread } from '../../../shared/extra-utils/videos/video-comments' 19import { addVideoCommentThread } from '../../../shared/extra-utils/videos/video-comments'
20import { waitJobs } from '../../../shared/extra-utils/server/jobs' 20import { waitJobs } from '../../../shared/extra-utils/server/jobs'
21import { User } from '../../../shared/models/users' 21import { User } from '../../../shared/models/users'
22import { VideoPrivacy } from '@shared/models'
22 23
23chai.use(require('chai-xml')) 24chai.use(require('chai-xml'))
24chai.use(require('chai-json-schema')) 25chai.use(require('chai-json-schema'))
@@ -77,6 +78,14 @@ describe('Test syndication feeds', () => {
77 await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'super comment 2') 78 await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'super comment 2')
78 } 79 }
79 80
81 {
82 const videoAttributes = { name: 'unlisted video', privacy: VideoPrivacy.UNLISTED }
83 const res = await uploadVideo(servers[0].url, servers[0].accessToken, videoAttributes)
84 const videoId = res.body.video.id
85
86 await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'comment on unlisted video')
87 }
88
80 await waitJobs(servers) 89 await waitJobs(servers)
81 }) 90 })
82 91
@@ -196,7 +205,8 @@ describe('Test syndication feeds', () => {
196 }) 205 })
197 206
198 describe('Video comments feed', function () { 207 describe('Video comments feed', function () {
199 it('Should contain valid comments (covers JSON feed 1.0 endpoint)', async function () { 208
209 it('Should contain valid comments (covers JSON feed 1.0 endpoint) and not from unlisted videos', async function () {
200 for (const server of servers) { 210 for (const server of servers) {
201 const json = await getJSONfeed(server.url, 'video-comments') 211 const json = await getJSONfeed(server.url, 'video-comments')
202 212