aboutsummaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
authorChocobozzz <florian.bigard@gmail.com>2017-01-11 18:41:09 +0100
committerChocobozzz <florian.bigard@gmail.com>2017-01-11 18:41:09 +0100
commit45abb8b97b8313f8f58a4a73b527882ad7b4af9c (patch)
tree6b5936d30261334abcafaa16779a32171031a87b /server
parentd8cc063e9775688a1631eda9203411a2dba0333c (diff)
downloadPeerTube-45abb8b97b8313f8f58a4a73b527882ad7b4af9c.tar.gz
PeerTube-45abb8b97b8313f8f58a4a73b527882ad7b4af9c.tar.zst
PeerTube-45abb8b97b8313f8f58a4a73b527882ad7b4af9c.zip
Server: rights check for update a video
Diffstat (limited to 'server')
-rw-r--r--server/middlewares/validators/videos.js8
-rw-r--r--server/tests/api/check-params/videos.js4
2 files changed, 12 insertions, 0 deletions
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index ff18a99c2..3d7c04b60 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -53,6 +53,14 @@ function videosUpdate (req, res, next) {
53 logger.debug('Checking videosUpdate parameters', { parameters: req.body }) 53 logger.debug('Checking videosUpdate parameters', { parameters: req.body })
54 54
55 checkErrors(req, res, function () { 55 checkErrors(req, res, function () {
56 if (res.locals.video.isOwned() === false) {
57 return res.status(403).send('Cannot update video of another pod')
58 }
59
60 if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
61 return res.status(403).send('Cannot update video of another user')
62 }
63
56 checkVideoExists(req.params.id, res, next) 64 checkVideoExists(req.params.id, res, next)
57 }) 65 })
58} 66}
diff --git a/server/tests/api/check-params/videos.js b/server/tests/api/check-params/videos.js
index d18305291..fac903715 100644
--- a/server/tests/api/check-params/videos.js
+++ b/server/tests/api/check-params/videos.js
@@ -378,6 +378,10 @@ describe('Test videos API validator', function () {
378 } 378 }
379 requestsUtils.makePutBodyRequest(server.url, path + videoId, server.accessToken, data, done) 379 requestsUtils.makePutBodyRequest(server.url, path + videoId, server.accessToken, data, done)
380 }) 380 })
381
382 it('Should fail with a video of another user')
383
384 it('Should fail with a video of another pod')
381 }) 385 })
382 386
383 describe('When getting a video', function () { 387 describe('When getting a video', function () {