diff options
author | Chocobozzz <florian.bigard@gmail.com> | 2016-08-05 21:41:28 +0200 |
---|---|---|
committer | Chocobozzz <florian.bigard@gmail.com> | 2016-08-05 21:41:28 +0200 |
commit | 58b2ba55a90f05f24661e664b1fb0a3486f037e8 (patch) | |
tree | 1f44b344423667280fca24661918cea8018195f7 /server | |
parent | f3391f9237269ed671c23fdbcc9d86dc52134fe5 (diff) | |
download | PeerTube-58b2ba55a90f05f24661e664b1fb0a3486f037e8.tar.gz PeerTube-58b2ba55a90f05f24661e664b1fb0a3486f037e8.tar.zst PeerTube-58b2ba55a90f05f24661e664b1fb0a3486f037e8.zip |
Server: do not allow a user to remove a video of another user
Diffstat (limited to 'server')
-rw-r--r-- | server/middlewares/validators/videos.js | 1 | ||||
-rw-r--r-- | server/tests/api/checkParams.js | 2 |
2 files changed, 3 insertions, 0 deletions
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js index 9d21ee16f..e51087d5a 100644 --- a/server/middlewares/validators/videos.js +++ b/server/middlewares/validators/videos.js | |||
@@ -77,6 +77,7 @@ function videosRemove (req, res, next) { | |||
77 | 77 | ||
78 | if (!video) return res.status(404).send('Video not found') | 78 | if (!video) return res.status(404).send('Video not found') |
79 | else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod') | 79 | else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod') |
80 | else if (video.author !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user') | ||
80 | 81 | ||
81 | next() | 82 | next() |
82 | }) | 83 | }) |
diff --git a/server/tests/api/checkParams.js b/server/tests/api/checkParams.js index 8b49f5f36..e489df277 100644 --- a/server/tests/api/checkParams.js +++ b/server/tests/api/checkParams.js | |||
@@ -496,6 +496,8 @@ describe('Test parameters validator', function () { | |||
496 | .expect(404, done) | 496 | .expect(404, done) |
497 | }) | 497 | }) |
498 | 498 | ||
499 | it('Should fail with a video of another user') | ||
500 | |||
499 | it('Should fail with a video of another pod') | 501 | it('Should fail with a video of another pod') |
500 | 502 | ||
501 | it('Should succeed with the correct parameters') | 503 | it('Should succeed with the correct parameters') |