aboutsummaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
authorChocobozzz <florian.bigard@gmail.com>2016-08-05 21:41:28 +0200
committerChocobozzz <florian.bigard@gmail.com>2016-08-05 21:41:28 +0200
commit58b2ba55a90f05f24661e664b1fb0a3486f037e8 (patch)
tree1f44b344423667280fca24661918cea8018195f7 /server
parentf3391f9237269ed671c23fdbcc9d86dc52134fe5 (diff)
downloadPeerTube-58b2ba55a90f05f24661e664b1fb0a3486f037e8.tar.gz
PeerTube-58b2ba55a90f05f24661e664b1fb0a3486f037e8.tar.zst
PeerTube-58b2ba55a90f05f24661e664b1fb0a3486f037e8.zip
Server: do not allow a user to remove a video of another user
Diffstat (limited to 'server')
-rw-r--r--server/middlewares/validators/videos.js1
-rw-r--r--server/tests/api/checkParams.js2
2 files changed, 3 insertions, 0 deletions
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 9d21ee16f..e51087d5a 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -77,6 +77,7 @@ function videosRemove (req, res, next) {
77 77
78 if (!video) return res.status(404).send('Video not found') 78 if (!video) return res.status(404).send('Video not found')
79 else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod') 79 else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod')
80 else if (video.author !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user')
80 81
81 next() 82 next()
82 }) 83 })
diff --git a/server/tests/api/checkParams.js b/server/tests/api/checkParams.js
index 8b49f5f36..e489df277 100644
--- a/server/tests/api/checkParams.js
+++ b/server/tests/api/checkParams.js
@@ -496,6 +496,8 @@ describe('Test parameters validator', function () {
496 .expect(404, done) 496 .expect(404, done)
497 }) 497 })
498 498
499 it('Should fail with a video of another user')
500
499 it('Should fail with a video of another pod') 501 it('Should fail with a video of another pod')
500 502
501 it('Should succeed with the correct parameters') 503 it('Should succeed with the correct parameters')