aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--server/middlewares/validators/videos/video-comments.ts23
-rw-r--r--server/tests/api/check-params/video-comments.ts63
2 files changed, 84 insertions, 2 deletions
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index 3ea8bdcbb..04e7b6973 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -9,7 +9,14 @@ import { logger } from '../../../helpers/logger'
9import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation' 9import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
10import { Hooks } from '../../../lib/plugins/hooks' 10import { Hooks } from '../../../lib/plugins/hooks'
11import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video' 11import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
12import { areValidationErrors, doesVideoCommentExist, doesVideoCommentThreadExist, doesVideoExist, isValidVideoIdParam } from '../shared' 12import {
13 areValidationErrors,
14 checkCanSeeVideoIfPrivate,
15 doesVideoCommentExist,
16 doesVideoCommentThreadExist,
17 doesVideoExist,
18 isValidVideoIdParam
19} from '../shared'
13 20
14const listVideoCommentsValidator = [ 21const listVideoCommentsValidator = [
15 query('isLocal') 22 query('isLocal')
@@ -48,6 +55,13 @@ const listVideoCommentThreadsValidator = [
48 if (areValidationErrors(req, res)) return 55 if (areValidationErrors(req, res)) return
49 if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return 56 if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
50 57
58 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
59 return res.fail({
60 status: HttpStatusCode.FORBIDDEN_403,
61 message: 'Cannot list comments of private/internal/blocklisted video'
62 })
63 }
64
51 return next() 65 return next()
52 } 66 }
53] 67]
@@ -65,6 +79,13 @@ const listVideoThreadCommentsValidator = [
65 if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return 79 if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
66 if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return 80 if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return
67 81
82 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
83 return res.fail({
84 status: HttpStatusCode.FORBIDDEN_403,
85 message: 'Cannot list threads of private/internal/blocklisted video'
86 })
87 }
88
68 return next() 89 return next()
69 } 90 }
70] 91]
diff --git a/server/tests/api/check-params/video-comments.ts b/server/tests/api/check-params/video-comments.ts
index 2d9ee1e0d..8d63fe70c 100644
--- a/server/tests/api/check-params/video-comments.ts
+++ b/server/tests/api/check-params/video-comments.ts
@@ -14,7 +14,7 @@ import {
14 PeerTubeServer, 14 PeerTubeServer,
15 setAccessTokensToServers 15 setAccessTokensToServers
16} from '@shared/extra-utils' 16} from '@shared/extra-utils'
17import { HttpStatusCode, VideoCreateResult } from '@shared/models' 17import { HttpStatusCode, VideoCreateResult, VideoPrivacy } from '@shared/models'
18 18
19const expect = chai.expect 19const expect = chai.expect
20 20
@@ -26,6 +26,8 @@ describe('Test video comments API validator', function () {
26 let userAccessToken: string 26 let userAccessToken: string
27 let userAccessToken2: string 27 let userAccessToken2: string
28 let commentId: number 28 let commentId: number
29 let privateCommentId: number
30 let privateVideo: VideoCreateResult
29 31
30 // --------------------------------------------------------------- 32 // ---------------------------------------------------------------
31 33
@@ -42,12 +44,21 @@ describe('Test video comments API validator', function () {
42 } 44 }
43 45
44 { 46 {
47 privateVideo = await server.videos.upload({ attributes: { privacy: VideoPrivacy.PRIVATE } })
48 }
49
50 {
45 const created = await server.comments.createThread({ videoId: video.uuid, text: 'coucou' }) 51 const created = await server.comments.createThread({ videoId: video.uuid, text: 'coucou' })
46 commentId = created.id 52 commentId = created.id
47 pathComment = '/api/v1/videos/' + video.uuid + '/comments/' + commentId 53 pathComment = '/api/v1/videos/' + video.uuid + '/comments/' + commentId
48 } 54 }
49 55
50 { 56 {
57 const created = await server.comments.createThread({ videoId: privateVideo.uuid, text: 'coucou' })
58 privateCommentId = created.id
59 }
60
61 {
51 const user = { username: 'user1', password: 'my super password' } 62 const user = { username: 'user1', password: 'my super password' }
52 await server.users.create({ username: user.username, password: user.password }) 63 await server.users.create({ username: user.username, password: user.password })
53 userAccessToken = await server.login.getAccessToken(user) 64 userAccessToken = await server.login.getAccessToken(user)
@@ -80,6 +91,32 @@ describe('Test video comments API validator', function () {
80 expectedStatus: HttpStatusCode.NOT_FOUND_404 91 expectedStatus: HttpStatusCode.NOT_FOUND_404
81 }) 92 })
82 }) 93 })
94
95 it('Should fail with a private video without token', async function () {
96 await makeGetRequest({
97 url: server.url,
98 path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
99 expectedStatus: HttpStatusCode.UNAUTHORIZED_401
100 })
101 })
102
103 it('Should fail with another user token', async function () {
104 await makeGetRequest({
105 url: server.url,
106 token: userAccessToken,
107 path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
108 expectedStatus: HttpStatusCode.FORBIDDEN_403
109 })
110 })
111
112 it('Should succeed with the correct params', async function () {
113 await makeGetRequest({
114 url: server.url,
115 token: server.accessToken,
116 path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
117 expectedStatus: HttpStatusCode.OK_200
118 })
119 })
83 }) 120 })
84 121
85 describe('When listing comments of a thread', function () { 122 describe('When listing comments of a thread', function () {
@@ -99,9 +136,33 @@ describe('Test video comments API validator', function () {
99 }) 136 })
100 }) 137 })
101 138
139 it('Should fail with a private video without token', async function () {
140 await makeGetRequest({
141 url: server.url,
142 path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
143 expectedStatus: HttpStatusCode.UNAUTHORIZED_401
144 })
145 })
146
147 it('Should fail with another user token', async function () {
148 await makeGetRequest({
149 url: server.url,
150 token: userAccessToken,
151 path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
152 expectedStatus: HttpStatusCode.FORBIDDEN_403
153 })
154 })
155
102 it('Should success with the correct params', async function () { 156 it('Should success with the correct params', async function () {
103 await makeGetRequest({ 157 await makeGetRequest({
104 url: server.url, 158 url: server.url,
159 token: server.accessToken,
160 path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
161 expectedStatus: HttpStatusCode.OK_200
162 })
163
164 await makeGetRequest({
165 url: server.url,
105 path: '/api/v1/videos/' + video.shortUUID + '/comment-threads/' + commentId, 166 path: '/api/v1/videos/' + video.shortUUID + '/comment-threads/' + commentId,
106 expectedStatus: HttpStatusCode.OK_200 167 expectedStatus: HttpStatusCode.OK_200
107 }) 168 })