Check video privacy when creating comments/rates

author: Chocobozzz <me@florianbigard.com> 2022-02-22 14:16:34 +0100
committer: Chocobozzz <me@florianbigard.com> 2022-02-22 14:16:51 +0100
commit: 6ea9295b8f5dd7cc254202a79aad61c666cc4259 (patch)
tree: 0345d57eb47c5b5cd0046fee1456b0dc440ae470 /server
parent: fdd5da058aeffb161202124a129789a3c2bb234c (diff)
download: PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.gz
PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.zst
PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.zip
4 files changed, 75 insertions, 7 deletions
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index 91ae31ec2..91e85711d 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [
    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res)) return
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot access to this ressource'
+      })
+    }
    if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
    if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
@@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [
    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res)) return
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot access to this ressource'
+      })
+    }
    if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
    if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
    if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts
index 6e0bb0ad1..923bf3eaf 100644
--- a/server/middlewares/validators/videos/video-rates.ts
+++ b/server/middlewares/validators/videos/video-rates.ts
@@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
 import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
 import { logger } from '../../../helpers/logger'
 import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
-import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared'
+import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared'
 const videoUpdateRateValidator = [
  isValidVideoIdParam('id'),
@@ -21,6 +21,13 @@ const videoUpdateRateValidator = [
    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.id, res)) return
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot access to this ressource'
+      })
+    }
    return next()
  }
 ]
diff --git a/server/tests/api/check-params/video-comments.ts b/server/tests/api/check-params/video-comments.ts
index 829f3c8b1..624d657d3 100644
--- a/server/tests/api/check-params/video-comments.ts
+++ b/server/tests/api/check-params/video-comments.ts
@@ -19,10 +19,14 @@ const expect = chai.expect
 describe('Test video comments API validator', function () {
  let pathThread: string
  let pathComment: string
  let server: PeerTubeServer
  let video: VideoCreateResult
  let userAccessToken: string
  let userAccessToken2: string
  let commentId: number
  let privateCommentId: number
  let privateVideo: VideoCreateResult
@@ -203,9 +207,8 @@ describe('Test video comments API validator', function () {
    it('Should fail with an incorrect video', async function () {
      const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads'
-      const fields = {
+      const fields = { text: 'super comment' }
-        text: 'super comment'
-      }
      await makePostBodyRequest({
        url: server.url,
        path,
@@ -215,10 +218,21 @@ describe('Test video comments API validator', function () {
      })
    })
+    it('Should fail with a private video of another user', async function () {
+      const fields = { text: 'super comment' }
+      await makePostBodyRequest({
+        url: server.url,
+        path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
+        token: userAccessToken,
+        fields,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
    it('Should succeed with the correct parameters', async function () {
-      const fields = {
+      const fields = { text: 'super comment' }
-        text: 'super comment'
-      }
      await makePostBodyRequest({
        url: server.url,
        path: pathThread,
@@ -230,6 +244,7 @@ describe('Test video comments API validator', function () {
  })
  describe('When adding a comment to a thread', function () {
    it('Should fail with a non authenticated user', async function () {
      const fields = {
        text: 'text'
@@ -276,6 +291,18 @@ describe('Test video comments API validator', function () {
      })
    })
+    it('Should fail with a private video of another user', async function () {
+      const fields = { text: 'super comment' }
+      await makePostBodyRequest({
+        url: server.url,
+        path: '/api/v1/videos/' + privateVideo.uuid + '/comments/' + privateCommentId,
+        token: userAccessToken,
+        fields,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
    it('Should fail with an incorrect comment', async function () {
      const path = '/api/v1/videos/' + video.uuid + '/comments/124'
      const fields = {
diff --git a/server/tests/api/check-params/videos.ts b/server/tests/api/check-params/videos.ts
index 4cc70f5cc..41064d2ff 100644
--- a/server/tests/api/check-params/videos.ts
+++ b/server/tests/api/check-params/videos.ts
@@ -28,6 +28,7 @@ describe('Test videos API validator', function () {
  let channelId: number
  let channelName: string
  let video: VideoCreateResult
+  let privateVideo: VideoCreateResult
  // ---------------------------------------------------------------
@@ -49,6 +50,10 @@ describe('Test videos API validator', function () {
      channelName = body.videoChannels[0].name
      accountName = body.account.name + '@' + body.account.host
    }
+    {
+      privateVideo = await server.videos.quickUpload({ name: 'private video', privacy: VideoPrivacy.PRIVATE })
+    }
  })
  describe('When listing videos', function () {
@@ -783,6 +788,19 @@ describe('Test videos API validator', function () {
      await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields })
    })
+    it('Should fail with a private video of another user', async function () {
+      const fields = {
+        rating: 'like'
+      }
+      await makePutBodyRequest({
+        url: server.url,
+        path: path + privateVideo.uuid + '/rate',
+        token: userAccessToken,
+        fields,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
    it('Should succeed with the correct parameters', async function () {
      const fields = {
        rating: 'like'
author	Chocobozzz <me@florianbigard.com>	2022-02-22 14:16:34 +0100
committer	Chocobozzz <me@florianbigard.com>	2022-02-22 14:16:51 +0100
commit	6ea9295b8f5dd7cc254202a79aad61c666cc4259 (patch)
tree	0345d57eb47c5b5cd0046fee1456b0dc440ae470 /server
parent	fdd5da058aeffb161202124a129789a3c2bb234c (diff)
download	PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.gz PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.tar.zst PeerTube-6ea9295b8f5dd7cc254202a79aad61c666cc4259.zip

diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts index 91ae31ec2..91e85711d 100644 --- a/server/middlewares/validators/videos/video-comments.ts +++ b/server/middlewares/validators/videos/video-comments.ts
@@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [
100		100
101	if (areValidationErrors(req, res)) return	101	if (areValidationErrors(req, res)) return
102	if (!await doesVideoExist(req.params.videoId, res)) return	102	if (!await doesVideoExist(req.params.videoId, res)) return
		103
		104	if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
		105	return res.fail({
		106	status: HttpStatusCode.FORBIDDEN_403,
		107	message: 'Cannot access to this ressource'
		108	})
		109	}
		110
103	if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return	111	if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
104	if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return	112	if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
105		113
@@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [
119		127
120	if (areValidationErrors(req, res)) return	128	if (areValidationErrors(req, res)) return
121	if (!await doesVideoExist(req.params.videoId, res)) return	129	if (!await doesVideoExist(req.params.videoId, res)) return
		130
		131	if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
		132	return res.fail({
		133	status: HttpStatusCode.FORBIDDEN_403,
		134	message: 'Cannot access to this ressource'
		135	})
		136	}
		137
122	if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return	138	if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
123	if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return	139	if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
124	if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return	140	if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return


diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts index 6e0bb0ad1..923bf3eaf 100644 --- a/server/middlewares/validators/videos/video-rates.ts +++ b/server/middlewares/validators/videos/video-rates.ts
@@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
8	import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'	8	import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
9	import { logger } from '../../../helpers/logger'	9	import { logger } from '../../../helpers/logger'
10	import { AccountVideoRateModel } from '../../../models/account/account-video-rate'	10	import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
11	import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared'	11	import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared'
12		12
13	const videoUpdateRateValidator = [	13	const videoUpdateRateValidator = [
14	isValidVideoIdParam('id'),	14	isValidVideoIdParam('id'),
@@ -21,6 +21,13 @@ const videoUpdateRateValidator = [
21	if (areValidationErrors(req, res)) return	21	if (areValidationErrors(req, res)) return
22	if (!await doesVideoExist(req.params.id, res)) return	22	if (!await doesVideoExist(req.params.id, res)) return
23		23
		24	if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
		25	return res.fail({
		26	status: HttpStatusCode.FORBIDDEN_403,
		27	message: 'Cannot access to this ressource'
		28	})
		29	}
		30
24	return next()	31	return next()
25	}	32	}
26	]	33	]


diff --git a/server/tests/api/check-params/video-comments.ts b/server/tests/api/check-params/video-comments.ts index 829f3c8b1..624d657d3 100644 --- a/server/tests/api/check-params/video-comments.ts +++ b/server/tests/api/check-params/video-comments.ts
@@ -19,10 +19,14 @@ const expect = chai.expect
19	describe('Test video comments API validator', function () {	19	describe('Test video comments API validator', function () {
20	let pathThread: string	20	let pathThread: string
21	let pathComment: string	21	let pathComment: string
		22
22	let server: PeerTubeServer	23	let server: PeerTubeServer
		24
23	let video: VideoCreateResult	25	let video: VideoCreateResult
		26
24	let userAccessToken: string	27	let userAccessToken: string
25	let userAccessToken2: string	28	let userAccessToken2: string
		29
26	let commentId: number	30	let commentId: number
27	let privateCommentId: number	31	let privateCommentId: number
28	let privateVideo: VideoCreateResult	32	let privateVideo: VideoCreateResult
@@ -203,9 +207,8 @@ describe('Test video comments API validator', function () {
203		207
204	it('Should fail with an incorrect video', async function () {	208	it('Should fail with an incorrect video', async function () {
205	const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads'	209	const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads'
206	const fields = {	210	const fields = { text: 'super comment' }
207	text: 'super comment'	211
208	}
209	await makePostBodyRequest({	212	await makePostBodyRequest({
210	url: server.url,	213	url: server.url,
211	path,	214	path,
@@ -215,10 +218,21 @@ describe('Test video comments API validator', function () {
215	})	218	})
216	})	219	})
217		220
		221	it('Should fail with a private video of another user', async function () {
		222	const fields = { text: 'super comment' }
		223
		224	await makePostBodyRequest({
		225	url: server.url,
		226	path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
		227	token: userAccessToken,
		228	fields,
		229	expectedStatus: HttpStatusCode.FORBIDDEN_403
		230	})
		231	})
		232
218	it('Should succeed with the correct parameters', async function () {	233	it('Should succeed with the correct parameters', async function () {
219	const fields = {	234	const fields = { text: 'super comment' }
220	text: 'super comment'	235
221	}
222	await makePostBodyRequest({	236	await makePostBodyRequest({
223	url: server.url,	237	url: server.url,
224	path: pathThread,	238	path: pathThread,
@@ -230,6 +244,7 @@ describe('Test video comments API validator', function () {
230	})	244	})
231		245
232	describe('When adding a comment to a thread', function () {	246	describe('When adding a comment to a thread', function () {
		247
233	it('Should fail with a non authenticated user', async function () {	248	it('Should fail with a non authenticated user', async function () {
234	const fields = {	249	const fields = {
235	text: 'text'	250	text: 'text'
@@ -276,6 +291,18 @@ describe('Test video comments API validator', function () {
276	})	291	})
277	})	292	})
278		293
		294	it('Should fail with a private video of another user', async function () {
		295	const fields = { text: 'super comment' }
		296
		297	await makePostBodyRequest({
		298	url: server.url,
		299	path: '/api/v1/videos/' + privateVideo.uuid + '/comments/' + privateCommentId,
		300	token: userAccessToken,
		301	fields,
		302	expectedStatus: HttpStatusCode.FORBIDDEN_403
		303	})
		304	})
		305
279	it('Should fail with an incorrect comment', async function () {	306	it('Should fail with an incorrect comment', async function () {
280	const path = '/api/v1/videos/' + video.uuid + '/comments/124'	307	const path = '/api/v1/videos/' + video.uuid + '/comments/124'
281	const fields = {	308	const fields = {


diff --git a/server/tests/api/check-params/videos.ts b/server/tests/api/check-params/videos.ts index 4cc70f5cc..41064d2ff 100644 --- a/server/tests/api/check-params/videos.ts +++ b/server/tests/api/check-params/videos.ts
@@ -28,6 +28,7 @@ describe('Test videos API validator', function () {
28	let channelId: number	28	let channelId: number
29	let channelName: string	29	let channelName: string
30	let video: VideoCreateResult	30	let video: VideoCreateResult
		31	let privateVideo: VideoCreateResult
31		32
32	// ---------------------------------------------------------------	33	// ---------------------------------------------------------------
33		34
@@ -49,6 +50,10 @@ describe('Test videos API validator', function () {
49	channelName = body.videoChannels[0].name	50	channelName = body.videoChannels[0].name
50	accountName = body.account.name + '@' + body.account.host	51	accountName = body.account.name + '@' + body.account.host
51	}	52	}
		53
		54	{
		55	privateVideo = await server.videos.quickUpload({ name: 'private video', privacy: VideoPrivacy.PRIVATE })
		56	}
52	})	57	})
53		58
54	describe('When listing videos', function () {	59	describe('When listing videos', function () {
@@ -783,6 +788,19 @@ describe('Test videos API validator', function () {
783	await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields })	788	await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields })
784	})	789	})
785		790
		791	it('Should fail with a private video of another user', async function () {
		792	const fields = {
		793	rating: 'like'
		794	}
		795	await makePutBodyRequest({
		796	url: server.url,
		797	path: path + privateVideo.uuid + '/rate',
		798	token: userAccessToken,
		799	fields,
		800	expectedStatus: HttpStatusCode.FORBIDDEN_403
		801	})
		802	})
		803
786	it('Should succeed with the correct parameters', async function () {	804	it('Should succeed with the correct parameters', async function () {
787	const fields = {	805	const fields = {
788	rating: 'like'	806	rating: 'like'