diff options
-rw-r--r-- | server/middlewares/validators/videos/video-comments.ts | 23 | ||||
-rw-r--r-- | server/tests/api/check-params/video-comments.ts | 63 |
2 files changed, 84 insertions, 2 deletions
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts index 3ea8bdcbb..04e7b6973 100644 --- a/server/middlewares/validators/videos/video-comments.ts +++ b/server/middlewares/validators/videos/video-comments.ts | |||
@@ -9,7 +9,14 @@ import { logger } from '../../../helpers/logger' | |||
9 | import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation' | 9 | import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation' |
10 | import { Hooks } from '../../../lib/plugins/hooks' | 10 | import { Hooks } from '../../../lib/plugins/hooks' |
11 | import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video' | 11 | import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video' |
12 | import { areValidationErrors, doesVideoCommentExist, doesVideoCommentThreadExist, doesVideoExist, isValidVideoIdParam } from '../shared' | 12 | import { |
13 | areValidationErrors, | ||
14 | checkCanSeeVideoIfPrivate, | ||
15 | doesVideoCommentExist, | ||
16 | doesVideoCommentThreadExist, | ||
17 | doesVideoExist, | ||
18 | isValidVideoIdParam | ||
19 | } from '../shared' | ||
13 | 20 | ||
14 | const listVideoCommentsValidator = [ | 21 | const listVideoCommentsValidator = [ |
15 | query('isLocal') | 22 | query('isLocal') |
@@ -48,6 +55,13 @@ const listVideoCommentThreadsValidator = [ | |||
48 | if (areValidationErrors(req, res)) return | 55 | if (areValidationErrors(req, res)) return |
49 | if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return | 56 | if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return |
50 | 57 | ||
58 | if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) { | ||
59 | return res.fail({ | ||
60 | status: HttpStatusCode.FORBIDDEN_403, | ||
61 | message: 'Cannot list comments of private/internal/blocklisted video' | ||
62 | }) | ||
63 | } | ||
64 | |||
51 | return next() | 65 | return next() |
52 | } | 66 | } |
53 | ] | 67 | ] |
@@ -65,6 +79,13 @@ const listVideoThreadCommentsValidator = [ | |||
65 | if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return | 79 | if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return |
66 | if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return | 80 | if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return |
67 | 81 | ||
82 | if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) { | ||
83 | return res.fail({ | ||
84 | status: HttpStatusCode.FORBIDDEN_403, | ||
85 | message: 'Cannot list threads of private/internal/blocklisted video' | ||
86 | }) | ||
87 | } | ||
88 | |||
68 | return next() | 89 | return next() |
69 | } | 90 | } |
70 | ] | 91 | ] |
diff --git a/server/tests/api/check-params/video-comments.ts b/server/tests/api/check-params/video-comments.ts index 2d9ee1e0d..8d63fe70c 100644 --- a/server/tests/api/check-params/video-comments.ts +++ b/server/tests/api/check-params/video-comments.ts | |||
@@ -14,7 +14,7 @@ import { | |||
14 | PeerTubeServer, | 14 | PeerTubeServer, |
15 | setAccessTokensToServers | 15 | setAccessTokensToServers |
16 | } from '@shared/extra-utils' | 16 | } from '@shared/extra-utils' |
17 | import { HttpStatusCode, VideoCreateResult } from '@shared/models' | 17 | import { HttpStatusCode, VideoCreateResult, VideoPrivacy } from '@shared/models' |
18 | 18 | ||
19 | const expect = chai.expect | 19 | const expect = chai.expect |
20 | 20 | ||
@@ -26,6 +26,8 @@ describe('Test video comments API validator', function () { | |||
26 | let userAccessToken: string | 26 | let userAccessToken: string |
27 | let userAccessToken2: string | 27 | let userAccessToken2: string |
28 | let commentId: number | 28 | let commentId: number |
29 | let privateCommentId: number | ||
30 | let privateVideo: VideoCreateResult | ||
29 | 31 | ||
30 | // --------------------------------------------------------------- | 32 | // --------------------------------------------------------------- |
31 | 33 | ||
@@ -42,12 +44,21 @@ describe('Test video comments API validator', function () { | |||
42 | } | 44 | } |
43 | 45 | ||
44 | { | 46 | { |
47 | privateVideo = await server.videos.upload({ attributes: { privacy: VideoPrivacy.PRIVATE } }) | ||
48 | } | ||
49 | |||
50 | { | ||
45 | const created = await server.comments.createThread({ videoId: video.uuid, text: 'coucou' }) | 51 | const created = await server.comments.createThread({ videoId: video.uuid, text: 'coucou' }) |
46 | commentId = created.id | 52 | commentId = created.id |
47 | pathComment = '/api/v1/videos/' + video.uuid + '/comments/' + commentId | 53 | pathComment = '/api/v1/videos/' + video.uuid + '/comments/' + commentId |
48 | } | 54 | } |
49 | 55 | ||
50 | { | 56 | { |
57 | const created = await server.comments.createThread({ videoId: privateVideo.uuid, text: 'coucou' }) | ||
58 | privateCommentId = created.id | ||
59 | } | ||
60 | |||
61 | { | ||
51 | const user = { username: 'user1', password: 'my super password' } | 62 | const user = { username: 'user1', password: 'my super password' } |
52 | await server.users.create({ username: user.username, password: user.password }) | 63 | await server.users.create({ username: user.username, password: user.password }) |
53 | userAccessToken = await server.login.getAccessToken(user) | 64 | userAccessToken = await server.login.getAccessToken(user) |
@@ -80,6 +91,32 @@ describe('Test video comments API validator', function () { | |||
80 | expectedStatus: HttpStatusCode.NOT_FOUND_404 | 91 | expectedStatus: HttpStatusCode.NOT_FOUND_404 |
81 | }) | 92 | }) |
82 | }) | 93 | }) |
94 | |||
95 | it('Should fail with a private video without token', async function () { | ||
96 | await makeGetRequest({ | ||
97 | url: server.url, | ||
98 | path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads', | ||
99 | expectedStatus: HttpStatusCode.UNAUTHORIZED_401 | ||
100 | }) | ||
101 | }) | ||
102 | |||
103 | it('Should fail with another user token', async function () { | ||
104 | await makeGetRequest({ | ||
105 | url: server.url, | ||
106 | token: userAccessToken, | ||
107 | path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads', | ||
108 | expectedStatus: HttpStatusCode.FORBIDDEN_403 | ||
109 | }) | ||
110 | }) | ||
111 | |||
112 | it('Should succeed with the correct params', async function () { | ||
113 | await makeGetRequest({ | ||
114 | url: server.url, | ||
115 | token: server.accessToken, | ||
116 | path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads', | ||
117 | expectedStatus: HttpStatusCode.OK_200 | ||
118 | }) | ||
119 | }) | ||
83 | }) | 120 | }) |
84 | 121 | ||
85 | describe('When listing comments of a thread', function () { | 122 | describe('When listing comments of a thread', function () { |
@@ -99,9 +136,33 @@ describe('Test video comments API validator', function () { | |||
99 | }) | 136 | }) |
100 | }) | 137 | }) |
101 | 138 | ||
139 | it('Should fail with a private video without token', async function () { | ||
140 | await makeGetRequest({ | ||
141 | url: server.url, | ||
142 | path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId, | ||
143 | expectedStatus: HttpStatusCode.UNAUTHORIZED_401 | ||
144 | }) | ||
145 | }) | ||
146 | |||
147 | it('Should fail with another user token', async function () { | ||
148 | await makeGetRequest({ | ||
149 | url: server.url, | ||
150 | token: userAccessToken, | ||
151 | path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId, | ||
152 | expectedStatus: HttpStatusCode.FORBIDDEN_403 | ||
153 | }) | ||
154 | }) | ||
155 | |||
102 | it('Should success with the correct params', async function () { | 156 | it('Should success with the correct params', async function () { |
103 | await makeGetRequest({ | 157 | await makeGetRequest({ |
104 | url: server.url, | 158 | url: server.url, |
159 | token: server.accessToken, | ||
160 | path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId, | ||
161 | expectedStatus: HttpStatusCode.OK_200 | ||
162 | }) | ||
163 | |||
164 | await makeGetRequest({ | ||
165 | url: server.url, | ||
105 | path: '/api/v1/videos/' + video.shortUUID + '/comment-threads/' + commentId, | 166 | path: '/api/v1/videos/' + video.shortUUID + '/comment-threads/' + commentId, |
106 | expectedStatus: HttpStatusCode.OK_200 | 167 | expectedStatus: HttpStatusCode.OK_200 |
107 | }) | 168 | }) |