diff options
author | Chocobozzz <florian.bigard@gmail.com> | 2017-01-11 18:41:09 +0100 |
---|---|---|
committer | Chocobozzz <florian.bigard@gmail.com> | 2017-01-11 18:41:09 +0100 |
commit | 45abb8b97b8313f8f58a4a73b527882ad7b4af9c (patch) | |
tree | 6b5936d30261334abcafaa16779a32171031a87b /server | |
parent | d8cc063e9775688a1631eda9203411a2dba0333c (diff) | |
download | PeerTube-45abb8b97b8313f8f58a4a73b527882ad7b4af9c.tar.gz PeerTube-45abb8b97b8313f8f58a4a73b527882ad7b4af9c.tar.zst PeerTube-45abb8b97b8313f8f58a4a73b527882ad7b4af9c.zip |
Server: rights check for update a video
Diffstat (limited to 'server')
-rw-r--r-- | server/middlewares/validators/videos.js | 8 | ||||
-rw-r--r-- | server/tests/api/check-params/videos.js | 4 |
2 files changed, 12 insertions, 0 deletions
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js index ff18a99c2..3d7c04b60 100644 --- a/server/middlewares/validators/videos.js +++ b/server/middlewares/validators/videos.js | |||
@@ -53,6 +53,14 @@ function videosUpdate (req, res, next) { | |||
53 | logger.debug('Checking videosUpdate parameters', { parameters: req.body }) | 53 | logger.debug('Checking videosUpdate parameters', { parameters: req.body }) |
54 | 54 | ||
55 | checkErrors(req, res, function () { | 55 | checkErrors(req, res, function () { |
56 | if (res.locals.video.isOwned() === false) { | ||
57 | return res.status(403).send('Cannot update video of another pod') | ||
58 | } | ||
59 | |||
60 | if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { | ||
61 | return res.status(403).send('Cannot update video of another user') | ||
62 | } | ||
63 | |||
56 | checkVideoExists(req.params.id, res, next) | 64 | checkVideoExists(req.params.id, res, next) |
57 | }) | 65 | }) |
58 | } | 66 | } |
diff --git a/server/tests/api/check-params/videos.js b/server/tests/api/check-params/videos.js index d18305291..fac903715 100644 --- a/server/tests/api/check-params/videos.js +++ b/server/tests/api/check-params/videos.js | |||
@@ -378,6 +378,10 @@ describe('Test videos API validator', function () { | |||
378 | } | 378 | } |
379 | requestsUtils.makePutBodyRequest(server.url, path + videoId, server.accessToken, data, done) | 379 | requestsUtils.makePutBodyRequest(server.url, path + videoId, server.accessToken, data, done) |
380 | }) | 380 | }) |
381 | |||
382 | it('Should fail with a video of another user') | ||
383 | |||
384 | it('Should fail with a video of another pod') | ||
381 | }) | 385 | }) |
382 | 386 | ||
383 | describe('When getting a video', function () { | 387 | describe('When getting a video', function () { |