aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
Diffstat
-rw-r--r--server/middlewares/validators/videos.js8
-rw-r--r--server/tests/api/check-params/videos.js4
2 files changed, 12 insertions, 0 deletions
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index ff18a99c2..3d7c04b60 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -53,6 +53,14 @@ function videosUpdate (req, res, next) {
53 logger.debug('Checking videosUpdate parameters', { parameters: req.body }) 53 logger.debug('Checking videosUpdate parameters', { parameters: req.body })
54 54
55 checkErrors(req, res, function () { 55 checkErrors(req, res, function () {
56 if (res.locals.video.isOwned() === false) {
57 return res.status(403).send('Cannot update video of another pod')
58 }
59
60 if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
61 return res.status(403).send('Cannot update video of another user')
62 }
63
56 checkVideoExists(req.params.id, res, next) 64 checkVideoExists(req.params.id, res, next)
57 }) 65 })
58} 66}
diff --git a/server/tests/api/check-params/videos.js b/server/tests/api/check-params/videos.js
index d18305291..fac903715 100644
--- a/server/tests/api/check-params/videos.js
+++ b/server/tests/api/check-params/videos.js
@@ -378,6 +378,10 @@ describe('Test videos API validator', function () {
378 } 378 }
379 requestsUtils.makePutBodyRequest(server.url, path + videoId, server.accessToken, data, done) 379 requestsUtils.makePutBodyRequest(server.url, path + videoId, server.accessToken, data, done)
380 }) 380 })
381
382 it('Should fail with a video of another user')
383
384 it('Should fail with a video of another pod')
381 }) 385 })
382 386
383 describe('When getting a video', function () { 387 describe('When getting a video', function () {
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-18 09:28:37 +0000