aboutsummaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
authorChocobozzz <florian.bigard@gmail.com>2017-01-11 19:15:23 +0100
committerChocobozzz <florian.bigard@gmail.com>2017-01-11 19:15:23 +0100
commit63d00f5ded0aad25eeb50111da65b6daa46bcb24 (patch)
tree507bc5e55564445fd43b5940bd466b62633aea4a /server
parentedc5e86006bf5e4a2819c380bb65734fe9caa87e (diff)
downloadPeerTube-63d00f5ded0aad25eeb50111da65b6daa46bcb24.tar.gz
PeerTube-63d00f5ded0aad25eeb50111da65b6daa46bcb24.tar.zst
PeerTube-63d00f5ded0aad25eeb50111da65b6daa46bcb24.zip
Server: fix update right checks
Diffstat (limited to 'server')
-rw-r--r--server/middlewares/validators/videos.js17
1 files changed, 10 insertions, 7 deletions
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 3d7c04b60..4fe6dcd8b 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -53,15 +53,18 @@ function videosUpdate (req, res, next) {
53 logger.debug('Checking videosUpdate parameters', { parameters: req.body }) 53 logger.debug('Checking videosUpdate parameters', { parameters: req.body })
54 54
55 checkErrors(req, res, function () { 55 checkErrors(req, res, function () {
56 if (res.locals.video.isOwned() === false) { 56 checkVideoExists(req.params.id, res, function () {
57 return res.status(403).send('Cannot update video of another pod') 57 // We need to make additional checks
58 } 58 if (res.locals.video.isOwned() === false) {
59 return res.status(403).send('Cannot update video of another pod')
60 }
59 61
60 if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { 62 if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
61 return res.status(403).send('Cannot update video of another user') 63 return res.status(403).send('Cannot update video of another user')
62 } 64 }
63 65
64 checkVideoExists(req.params.id, res, next) 66 next()
67 })
65 }) 68 })
66} 69}
67 70