Server: rights check for update a video

2 files changed, 12 insertions, 0 deletions

diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index ff18a99c2..3d7c04b60 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -53,6 +53,14 @@ function videosUpdate (req, res, next) {
   logger.debug('Checking videosUpdate parameters', { parameters: req.body })
 
   checkErrors(req, res, function () {
+    if (res.locals.video.isOwned() === false) {
+      return res.status(403).send('Cannot update video of another pod')
+    }
+
+    if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
+      return res.status(403).send('Cannot update video of another user')
+    }
+
     checkVideoExists(req.params.id, res, next)
   })
 }
diff --git a/server/tests/api/check-params/videos.js b/server/tests/api/check-params/videos.js
index d18305291..fac903715 100644
--- a/server/tests/api/check-params/videos.js
+++ b/server/tests/api/check-params/videos.js
@@ -378,6 +378,10 @@ describe('Test videos API validator', function () {
       }
       requestsUtils.makePutBodyRequest(server.url, path + videoId, server.accessToken, data, done)
     })
+
+    it('Should fail with a video of another user')
+
+    it('Should fail with a video of another pod')
   })
 
   describe('When getting a video', function () {