diff options
author | Chocobozzz <me@florianbigard.com> | 2018-01-31 14:40:42 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-01-31 14:40:42 +0100 |
commit | 81ebea48bfba2d81e62dd7a0f01a0cadf41d2607 (patch) | |
tree | 4188f531b1737c9c6b71488719030329e4e679ca /server | |
parent | e2436678e3eeb467622c2955193ef5aabcdbaf97 (diff) | |
download | PeerTube-81ebea48bfba2d81e62dd7a0f01a0cadf41d2607.tar.gz PeerTube-81ebea48bfba2d81e62dd7a0f01a0cadf41d2607.tar.zst PeerTube-81ebea48bfba2d81e62dd7a0f01a0cadf41d2607.zip |
Don't leak unlisted videos
Diffstat (limited to 'server')
-rw-r--r-- | server/middlewares/validators/videos.ts | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index 1acb306c0..a365ed217 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts | |||
@@ -2,7 +2,7 @@ import * as express from 'express' | |||
2 | import 'express-validator' | 2 | import 'express-validator' |
3 | import { body, param, query } from 'express-validator/check' | 3 | import { body, param, query } from 'express-validator/check' |
4 | import { UserRight, VideoPrivacy } from '../../../shared' | 4 | import { UserRight, VideoPrivacy } from '../../../shared' |
5 | import { isBooleanValid, isIdOrUUIDValid, isIdValid } from '../../helpers/custom-validators/misc' | 5 | import { isBooleanValid, isIdOrUUIDValid, isIdValid, isUUIDValid } from '../../helpers/custom-validators/misc' |
6 | import { | 6 | import { |
7 | isVideoAbuseReasonValid, isVideoCategoryValid, isVideoDescriptionValid, isVideoExist, isVideoFile, isVideoLanguageValid, | 7 | isVideoAbuseReasonValid, isVideoCategoryValid, isVideoDescriptionValid, isVideoExist, isVideoFile, isVideoLanguageValid, |
8 | isVideoLicenceValid, isVideoNameValid, isVideoPrivacyValid, isVideoRatingTypeValid, isVideoTagsValid | 8 | isVideoLicenceValid, isVideoNameValid, isVideoPrivacyValid, isVideoRatingTypeValid, isVideoTagsValid |
@@ -134,9 +134,18 @@ const videosGetValidator = [ | |||
134 | 134 | ||
135 | const video = res.locals.video | 135 | const video = res.locals.video |
136 | 136 | ||
137 | // Video is not private, anyone can access it | 137 | // Video is public, anyone can access it |
138 | if (video.privacy !== VideoPrivacy.PRIVATE) return next() | 138 | if (video.privacy === VideoPrivacy.PUBLIC) return next() |
139 | 139 | ||
140 | // Video is unlisted, check we used the uuid to fetch it | ||
141 | if (video.privacy === VideoPrivacy.UNLISTED) { | ||
142 | if (isUUIDValid(req.params.id)) return next() | ||
143 | |||
144 | // Don't leak this unlisted video | ||
145 | return res.status(404).end() | ||
146 | } | ||
147 | |||
148 | // Video is private, check the user | ||
140 | authenticate(req, res, () => { | 149 | authenticate(req, res, () => { |
141 | if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) { | 150 | if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) { |
142 | return res.status(403) | 151 | return res.status(403) |