aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--server/middlewares/validators/videos/video-comments.ts23
-rw-r--r--server/tests/api/check-params/video-comments.ts63
2 files changed, 84 insertions, 2 deletions
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index 665fb04c8..91ae31ec2 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -8,7 +8,14 @@ import { logger } from '../../../helpers/logger'
8import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation' 8import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
9import { Hooks } from '../../../lib/plugins/hooks' 9import { Hooks } from '../../../lib/plugins/hooks'
10import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video' 10import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
11import { areValidationErrors, doesVideoCommentExist, doesVideoCommentThreadExist, doesVideoExist, isValidVideoIdParam } from '../shared' 11import {
12 areValidationErrors,
13 checkCanSeeVideoIfPrivate,
14 doesVideoCommentExist,
15 doesVideoCommentThreadExist,
16 doesVideoExist,
17 isValidVideoIdParam
18} from '../shared'
12 19
13const listVideoCommentsValidator = [ 20const listVideoCommentsValidator = [
14 query('isLocal') 21 query('isLocal')
@@ -47,6 +54,13 @@ const listVideoCommentThreadsValidator = [
47 if (areValidationErrors(req, res)) return 54 if (areValidationErrors(req, res)) return
48 if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return 55 if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
49 56
57 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
58 return res.fail({
59 status: HttpStatusCode.FORBIDDEN_403,
60 message: 'Cannot list comments of private/internal/blocklisted video'
61 })
62 }
63
50 return next() 64 return next()
51 } 65 }
52] 66]
@@ -64,6 +78,13 @@ const listVideoThreadCommentsValidator = [
64 if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return 78 if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
65 if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return 79 if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return
66 80
81 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
82 return res.fail({
83 status: HttpStatusCode.FORBIDDEN_403,
84 message: 'Cannot list threads of private/internal/blocklisted video'
85 })
86 }
87
67 return next() 88 return next()
68 } 89 }
69] 90]
diff --git a/server/tests/api/check-params/video-comments.ts b/server/tests/api/check-params/video-comments.ts
index 63c3582e9..829f3c8b1 100644
--- a/server/tests/api/check-params/video-comments.ts
+++ b/server/tests/api/check-params/video-comments.ts
@@ -3,7 +3,7 @@
3import 'mocha' 3import 'mocha'
4import * as chai from 'chai' 4import * as chai from 'chai'
5import { checkBadCountPagination, checkBadSortPagination, checkBadStartPagination } from '@server/tests/shared' 5import { checkBadCountPagination, checkBadSortPagination, checkBadStartPagination } from '@server/tests/shared'
6import { HttpStatusCode, VideoCreateResult } from '@shared/models' 6import { HttpStatusCode, VideoCreateResult, VideoPrivacy } from '@shared/models'
7import { 7import {
8 cleanupTests, 8 cleanupTests,
9 createSingleServer, 9 createSingleServer,
@@ -24,6 +24,8 @@ describe('Test video comments API validator', function () {
24 let userAccessToken: string 24 let userAccessToken: string
25 let userAccessToken2: string 25 let userAccessToken2: string
26 let commentId: number 26 let commentId: number
27 let privateCommentId: number
28 let privateVideo: VideoCreateResult
27 29
28 // --------------------------------------------------------------- 30 // ---------------------------------------------------------------
29 31
@@ -40,12 +42,21 @@ describe('Test video comments API validator', function () {
40 } 42 }
41 43
42 { 44 {
45 privateVideo = await server.videos.upload({ attributes: { privacy: VideoPrivacy.PRIVATE } })
46 }
47
48 {
43 const created = await server.comments.createThread({ videoId: video.uuid, text: 'coucou' }) 49 const created = await server.comments.createThread({ videoId: video.uuid, text: 'coucou' })
44 commentId = created.id 50 commentId = created.id
45 pathComment = '/api/v1/videos/' + video.uuid + '/comments/' + commentId 51 pathComment = '/api/v1/videos/' + video.uuid + '/comments/' + commentId
46 } 52 }
47 53
48 { 54 {
55 const created = await server.comments.createThread({ videoId: privateVideo.uuid, text: 'coucou' })
56 privateCommentId = created.id
57 }
58
59 {
49 const user = { username: 'user1', password: 'my super password' } 60 const user = { username: 'user1', password: 'my super password' }
50 await server.users.create({ username: user.username, password: user.password }) 61 await server.users.create({ username: user.username, password: user.password })
51 userAccessToken = await server.login.getAccessToken(user) 62 userAccessToken = await server.login.getAccessToken(user)
@@ -78,6 +89,32 @@ describe('Test video comments API validator', function () {
78 expectedStatus: HttpStatusCode.NOT_FOUND_404 89 expectedStatus: HttpStatusCode.NOT_FOUND_404
79 }) 90 })
80 }) 91 })
92
93 it('Should fail with a private video without token', async function () {
94 await makeGetRequest({
95 url: server.url,
96 path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
97 expectedStatus: HttpStatusCode.UNAUTHORIZED_401
98 })
99 })
100
101 it('Should fail with another user token', async function () {
102 await makeGetRequest({
103 url: server.url,
104 token: userAccessToken,
105 path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
106 expectedStatus: HttpStatusCode.FORBIDDEN_403
107 })
108 })
109
110 it('Should succeed with the correct params', async function () {
111 await makeGetRequest({
112 url: server.url,
113 token: server.accessToken,
114 path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
115 expectedStatus: HttpStatusCode.OK_200
116 })
117 })
81 }) 118 })
82 119
83 describe('When listing comments of a thread', function () { 120 describe('When listing comments of a thread', function () {
@@ -97,9 +134,33 @@ describe('Test video comments API validator', function () {
97 }) 134 })
98 }) 135 })
99 136
137 it('Should fail with a private video without token', async function () {
138 await makeGetRequest({
139 url: server.url,
140 path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
141 expectedStatus: HttpStatusCode.UNAUTHORIZED_401
142 })
143 })
144
145 it('Should fail with another user token', async function () {
146 await makeGetRequest({
147 url: server.url,
148 token: userAccessToken,
149 path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
150 expectedStatus: HttpStatusCode.FORBIDDEN_403
151 })
152 })
153
100 it('Should success with the correct params', async function () { 154 it('Should success with the correct params', async function () {
101 await makeGetRequest({ 155 await makeGetRequest({
102 url: server.url, 156 url: server.url,
157 token: server.accessToken,
158 path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
159 expectedStatus: HttpStatusCode.OK_200
160 })
161
162 await makeGetRequest({
163 url: server.url,
103 path: '/api/v1/videos/' + video.shortUUID + '/comment-threads/' + commentId, 164 path: '/api/v1/videos/' + video.shortUUID + '/comment-threads/' + commentId,
104 expectedStatus: HttpStatusCode.OK_200 165 expectedStatus: HttpStatusCode.OK_200
105 }) 166 })