diff options
-rw-r--r-- | server/middlewares/validators/videos/video-comments.ts | 23 | ||||
-rw-r--r-- | server/tests/api/check-params/video-comments.ts | 63 |
2 files changed, 84 insertions, 2 deletions
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts index 665fb04c8..91ae31ec2 100644 --- a/server/middlewares/validators/videos/video-comments.ts +++ b/server/middlewares/validators/videos/video-comments.ts | |||
@@ -8,7 +8,14 @@ import { logger } from '../../../helpers/logger' | |||
8 | import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation' | 8 | import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation' |
9 | import { Hooks } from '../../../lib/plugins/hooks' | 9 | import { Hooks } from '../../../lib/plugins/hooks' |
10 | import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video' | 10 | import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video' |
11 | import { areValidationErrors, doesVideoCommentExist, doesVideoCommentThreadExist, doesVideoExist, isValidVideoIdParam } from '../shared' | 11 | import { |
12 | areValidationErrors, | ||
13 | checkCanSeeVideoIfPrivate, | ||
14 | doesVideoCommentExist, | ||
15 | doesVideoCommentThreadExist, | ||
16 | doesVideoExist, | ||
17 | isValidVideoIdParam | ||
18 | } from '../shared' | ||
12 | 19 | ||
13 | const listVideoCommentsValidator = [ | 20 | const listVideoCommentsValidator = [ |
14 | query('isLocal') | 21 | query('isLocal') |
@@ -47,6 +54,13 @@ const listVideoCommentThreadsValidator = [ | |||
47 | if (areValidationErrors(req, res)) return | 54 | if (areValidationErrors(req, res)) return |
48 | if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return | 55 | if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return |
49 | 56 | ||
57 | if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) { | ||
58 | return res.fail({ | ||
59 | status: HttpStatusCode.FORBIDDEN_403, | ||
60 | message: 'Cannot list comments of private/internal/blocklisted video' | ||
61 | }) | ||
62 | } | ||
63 | |||
50 | return next() | 64 | return next() |
51 | } | 65 | } |
52 | ] | 66 | ] |
@@ -64,6 +78,13 @@ const listVideoThreadCommentsValidator = [ | |||
64 | if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return | 78 | if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return |
65 | if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return | 79 | if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return |
66 | 80 | ||
81 | if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) { | ||
82 | return res.fail({ | ||
83 | status: HttpStatusCode.FORBIDDEN_403, | ||
84 | message: 'Cannot list threads of private/internal/blocklisted video' | ||
85 | }) | ||
86 | } | ||
87 | |||
67 | return next() | 88 | return next() |
68 | } | 89 | } |
69 | ] | 90 | ] |
diff --git a/server/tests/api/check-params/video-comments.ts b/server/tests/api/check-params/video-comments.ts index 63c3582e9..829f3c8b1 100644 --- a/server/tests/api/check-params/video-comments.ts +++ b/server/tests/api/check-params/video-comments.ts | |||
@@ -3,7 +3,7 @@ | |||
3 | import 'mocha' | 3 | import 'mocha' |
4 | import * as chai from 'chai' | 4 | import * as chai from 'chai' |
5 | import { checkBadCountPagination, checkBadSortPagination, checkBadStartPagination } from '@server/tests/shared' | 5 | import { checkBadCountPagination, checkBadSortPagination, checkBadStartPagination } from '@server/tests/shared' |
6 | import { HttpStatusCode, VideoCreateResult } from '@shared/models' | 6 | import { HttpStatusCode, VideoCreateResult, VideoPrivacy } from '@shared/models' |
7 | import { | 7 | import { |
8 | cleanupTests, | 8 | cleanupTests, |
9 | createSingleServer, | 9 | createSingleServer, |
@@ -24,6 +24,8 @@ describe('Test video comments API validator', function () { | |||
24 | let userAccessToken: string | 24 | let userAccessToken: string |
25 | let userAccessToken2: string | 25 | let userAccessToken2: string |
26 | let commentId: number | 26 | let commentId: number |
27 | let privateCommentId: number | ||
28 | let privateVideo: VideoCreateResult | ||
27 | 29 | ||
28 | // --------------------------------------------------------------- | 30 | // --------------------------------------------------------------- |
29 | 31 | ||
@@ -40,12 +42,21 @@ describe('Test video comments API validator', function () { | |||
40 | } | 42 | } |
41 | 43 | ||
42 | { | 44 | { |
45 | privateVideo = await server.videos.upload({ attributes: { privacy: VideoPrivacy.PRIVATE } }) | ||
46 | } | ||
47 | |||
48 | { | ||
43 | const created = await server.comments.createThread({ videoId: video.uuid, text: 'coucou' }) | 49 | const created = await server.comments.createThread({ videoId: video.uuid, text: 'coucou' }) |
44 | commentId = created.id | 50 | commentId = created.id |
45 | pathComment = '/api/v1/videos/' + video.uuid + '/comments/' + commentId | 51 | pathComment = '/api/v1/videos/' + video.uuid + '/comments/' + commentId |
46 | } | 52 | } |
47 | 53 | ||
48 | { | 54 | { |
55 | const created = await server.comments.createThread({ videoId: privateVideo.uuid, text: 'coucou' }) | ||
56 | privateCommentId = created.id | ||
57 | } | ||
58 | |||
59 | { | ||
49 | const user = { username: 'user1', password: 'my super password' } | 60 | const user = { username: 'user1', password: 'my super password' } |
50 | await server.users.create({ username: user.username, password: user.password }) | 61 | await server.users.create({ username: user.username, password: user.password }) |
51 | userAccessToken = await server.login.getAccessToken(user) | 62 | userAccessToken = await server.login.getAccessToken(user) |
@@ -78,6 +89,32 @@ describe('Test video comments API validator', function () { | |||
78 | expectedStatus: HttpStatusCode.NOT_FOUND_404 | 89 | expectedStatus: HttpStatusCode.NOT_FOUND_404 |
79 | }) | 90 | }) |
80 | }) | 91 | }) |
92 | |||
93 | it('Should fail with a private video without token', async function () { | ||
94 | await makeGetRequest({ | ||
95 | url: server.url, | ||
96 | path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads', | ||
97 | expectedStatus: HttpStatusCode.UNAUTHORIZED_401 | ||
98 | }) | ||
99 | }) | ||
100 | |||
101 | it('Should fail with another user token', async function () { | ||
102 | await makeGetRequest({ | ||
103 | url: server.url, | ||
104 | token: userAccessToken, | ||
105 | path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads', | ||
106 | expectedStatus: HttpStatusCode.FORBIDDEN_403 | ||
107 | }) | ||
108 | }) | ||
109 | |||
110 | it('Should succeed with the correct params', async function () { | ||
111 | await makeGetRequest({ | ||
112 | url: server.url, | ||
113 | token: server.accessToken, | ||
114 | path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads', | ||
115 | expectedStatus: HttpStatusCode.OK_200 | ||
116 | }) | ||
117 | }) | ||
81 | }) | 118 | }) |
82 | 119 | ||
83 | describe('When listing comments of a thread', function () { | 120 | describe('When listing comments of a thread', function () { |
@@ -97,9 +134,33 @@ describe('Test video comments API validator', function () { | |||
97 | }) | 134 | }) |
98 | }) | 135 | }) |
99 | 136 | ||
137 | it('Should fail with a private video without token', async function () { | ||
138 | await makeGetRequest({ | ||
139 | url: server.url, | ||
140 | path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId, | ||
141 | expectedStatus: HttpStatusCode.UNAUTHORIZED_401 | ||
142 | }) | ||
143 | }) | ||
144 | |||
145 | it('Should fail with another user token', async function () { | ||
146 | await makeGetRequest({ | ||
147 | url: server.url, | ||
148 | token: userAccessToken, | ||
149 | path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId, | ||
150 | expectedStatus: HttpStatusCode.FORBIDDEN_403 | ||
151 | }) | ||
152 | }) | ||
153 | |||
100 | it('Should success with the correct params', async function () { | 154 | it('Should success with the correct params', async function () { |
101 | await makeGetRequest({ | 155 | await makeGetRequest({ |
102 | url: server.url, | 156 | url: server.url, |
157 | token: server.accessToken, | ||
158 | path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId, | ||
159 | expectedStatus: HttpStatusCode.OK_200 | ||
160 | }) | ||
161 | |||
162 | await makeGetRequest({ | ||
163 | url: server.url, | ||
103 | path: '/api/v1/videos/' + video.shortUUID + '/comment-threads/' + commentId, | 164 | path: '/api/v1/videos/' + video.shortUUID + '/comment-threads/' + commentId, |
104 | expectedStatus: HttpStatusCode.OK_200 | 165 | expectedStatus: HttpStatusCode.OK_200 |
105 | }) | 166 | }) |