aboutsummaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2018-01-31 14:40:42 +0100
committerChocobozzz <me@florianbigard.com>2018-01-31 14:40:42 +0100
commit81ebea48bfba2d81e62dd7a0f01a0cadf41d2607 (patch)
tree4188f531b1737c9c6b71488719030329e4e679ca /server
parente2436678e3eeb467622c2955193ef5aabcdbaf97 (diff)
downloadPeerTube-81ebea48bfba2d81e62dd7a0f01a0cadf41d2607.tar.gz
PeerTube-81ebea48bfba2d81e62dd7a0f01a0cadf41d2607.tar.zst
PeerTube-81ebea48bfba2d81e62dd7a0f01a0cadf41d2607.zip
Don't leak unlisted videos
Diffstat (limited to 'server')
-rw-r--r--server/middlewares/validators/videos.ts15
1 files changed, 12 insertions, 3 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index 1acb306c0..a365ed217 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -2,7 +2,7 @@ import * as express from 'express'
2import 'express-validator' 2import 'express-validator'
3import { body, param, query } from 'express-validator/check' 3import { body, param, query } from 'express-validator/check'
4import { UserRight, VideoPrivacy } from '../../../shared' 4import { UserRight, VideoPrivacy } from '../../../shared'
5import { isBooleanValid, isIdOrUUIDValid, isIdValid } from '../../helpers/custom-validators/misc' 5import { isBooleanValid, isIdOrUUIDValid, isIdValid, isUUIDValid } from '../../helpers/custom-validators/misc'
6import { 6import {
7 isVideoAbuseReasonValid, isVideoCategoryValid, isVideoDescriptionValid, isVideoExist, isVideoFile, isVideoLanguageValid, 7 isVideoAbuseReasonValid, isVideoCategoryValid, isVideoDescriptionValid, isVideoExist, isVideoFile, isVideoLanguageValid,
8 isVideoLicenceValid, isVideoNameValid, isVideoPrivacyValid, isVideoRatingTypeValid, isVideoTagsValid 8 isVideoLicenceValid, isVideoNameValid, isVideoPrivacyValid, isVideoRatingTypeValid, isVideoTagsValid
@@ -134,9 +134,18 @@ const videosGetValidator = [
134 134
135 const video = res.locals.video 135 const video = res.locals.video
136 136
137 // Video is not private, anyone can access it 137 // Video is public, anyone can access it
138 if (video.privacy !== VideoPrivacy.PRIVATE) return next() 138 if (video.privacy === VideoPrivacy.PUBLIC) return next()
139 139
140 // Video is unlisted, check we used the uuid to fetch it
141 if (video.privacy === VideoPrivacy.UNLISTED) {
142 if (isUUIDValid(req.params.id)) return next()
143
144 // Don't leak this unlisted video
145 return res.status(404).end()
146 }
147
148 // Video is private, check the user
140 authenticate(req, res, () => { 149 authenticate(req, res, () => {
141 if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) { 150 if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
142 return res.status(403) 151 return res.status(403)