1 files changed, 39 insertions, 17 deletions
diff --git a/server/controllers/activitypub/client.ts b/server/controllers/activitypub/client.ts
index d85d0aa5f..71a5b6232 100644
--- a/server/controllers/activitypub/client.ts
+++ b/server/controllers/activitypub/client.ts
@@ -1,8 +1,7 @@
 import * as cors from 'cors'
 import * as express from 'express'
-import { getRateUrl } from '@server/lib/activitypub/video-rates'
 import { getServerActor } from '@server/models/application/application'
-import { MAccountId, MActorId, MChannelId, MVideoId } from '@server/types/models'
+import { MAccountId, MActorId, MChannelId, MVideoId, MVideoUrl } from '@server/types/models'
 import { VideoPrivacy, VideoRateType } from '../../../shared/models/videos'
 import { VideoPlaylistPrivacy } from '../../../shared/models/videos/playlist/video-playlist-privacy.model'
 import { activityPubCollectionPagination, activityPubContextify } from '../../helpers/activitypub'
@@ -12,10 +11,10 @@ import { buildAnnounceWithVideoAudience, buildLikeActivity } from '../../lib/act
 import { buildCreateActivity } from '../../lib/activitypub/send/send-create'
 import { buildDislikeActivity } from '../../lib/activitypub/send/send-dislike'
 import {
-  getVideoCommentsActivityPubUrl,
+  getLocalVideoCommentsActivityPubUrl,
-  getVideoDislikesActivityPubUrl,
+  getLocalVideoDislikesActivityPubUrl,
-  getVideoLikesActivityPubUrl,
+  getLocalVideoLikesActivityPubUrl,
-  getVideoSharesActivityPubUrl
+  getLocalVideoSharesActivityPubUrl
 } from '../../lib/activitypub/url'
 import {
  asyncMiddleware,
@@ -212,10 +211,9 @@ function getAccountVideoRateFactory (rateType: VideoRateType) {
    const accountVideoRate = res.locals.accountVideoRate
    const byActor = accountVideoRate.Account.Actor
-    const url = getRateUrl(rateType, byActor, accountVideoRate.Video)
    const APObject = rateType === 'like'
-      ? buildLikeActivity(url, byActor, accountVideoRate.Video)
+      ? buildLikeActivity(accountVideoRate.url, byActor, accountVideoRate.Video)
-      : buildDislikeActivity(url, byActor, accountVideoRate.Video)
+      : buildDislikeActivity(accountVideoRate.url, byActor, accountVideoRate.Video)
    return activityPubResponse(activityPubContextify(APObject), res)
  }
@@ -225,7 +223,7 @@ async function videoController (req: express.Request, res: express.Response) {
  // We need more attributes
  const video = await VideoModel.loadAndPopulateAccountAndServerAndTags(res.locals.onlyVideoWithRights.id)
-  if (video.url.startsWith(WEBSERVER.URL) === false) return res.redirect(video.url)
+  if (redirectIfNotOwned(video.url, res)) return
  // We need captions to render AP object
  const captions = await VideoCaptionModel.listVideoCaptions(video.id)
@@ -245,7 +243,7 @@ async function videoController (req: express.Request, res: express.Response) {
 async function videoAnnounceController (req: express.Request, res: express.Response) {
  const share = res.locals.videoShare
-  if (share.url.startsWith(WEBSERVER.URL) === false) return res.redirect(share.url)
+  if (redirectIfNotOwned(share.url, res)) return
  const { activity } = await buildAnnounceWithVideoAudience(share.Actor, share, res.locals.videoAll, undefined)
@@ -255,6 +253,8 @@ async function videoAnnounceController (req: express.Request, res: express.Respo
 async function videoAnnouncesController (req: express.Request, res: express.Response) {
  const video = res.locals.onlyImmutableVideo
+  if (redirectIfNotOwned(video.url, res)) return
  const handler = async (start: number, count: number) => {
    const result = await VideoShareModel.listAndCountByVideoId(video.id, start, count)
    return {
@@ -262,21 +262,27 @@ async function videoAnnouncesController (req: express.Request, res: express.Resp
      data: result.rows.map(r => r.url)
    }
  }
-  const json = await activityPubCollectionPagination(getVideoSharesActivityPubUrl(video), handler, req.query.page)
+  const json = await activityPubCollectionPagination(getLocalVideoSharesActivityPubUrl(video), handler, req.query.page)
  return activityPubResponse(activityPubContextify(json), res)
 }
 async function videoLikesController (req: express.Request, res: express.Response) {
  const video = res.locals.onlyImmutableVideo
-  const json = await videoRates(req, 'like', video, getVideoLikesActivityPubUrl(video))
+  if (redirectIfNotOwned(video.url, res)) return
+  const json = await videoRates(req, 'like', video, getLocalVideoLikesActivityPubUrl(video))
  return activityPubResponse(activityPubContextify(json), res)
 }
 async function videoDislikesController (req: express.Request, res: express.Response) {
  const video = res.locals.onlyImmutableVideo
-  const json = await videoRates(req, 'dislike', video, getVideoDislikesActivityPubUrl(video))
+  if (redirectIfNotOwned(video.url, res)) return
+  const json = await videoRates(req, 'dislike', video, getLocalVideoDislikesActivityPubUrl(video))
  return activityPubResponse(activityPubContextify(json), res)
 }
@@ -284,6 +290,8 @@ async function videoDislikesController (req: express.Request, res: express.Respo
 async function videoCommentsController (req: express.Request, res: express.Response) {
  const video = res.locals.onlyImmutableVideo
+  if (redirectIfNotOwned(video.url, res)) return
  const handler = async (start: number, count: number) => {
    const result = await VideoCommentModel.listAndCountByVideoForAP(video, start, count)
    return {
@@ -291,7 +299,7 @@ async function videoCommentsController (req: express.Request, res: express.Respo
      data: result.rows.map(r => r.url)
    }
  }
-  const json = await activityPubCollectionPagination(getVideoCommentsActivityPubUrl(video), handler, req.query.page)
+  const json = await activityPubCollectionPagination(getLocalVideoCommentsActivityPubUrl(video), handler, req.query.page)
  return activityPubResponse(activityPubContextify(json), res)
 }
@@ -319,7 +327,7 @@ async function videoChannelFollowingController (req: express.Request, res: expre
 async function videoCommentController (req: express.Request, res: express.Response) {
  const videoComment = res.locals.videoCommentFull
-  if (videoComment.url.startsWith(WEBSERVER.URL) === false) return res.redirect(videoComment.url)
+  if (redirectIfNotOwned(videoComment.url, res)) return
  const threadParentComments = await VideoCommentModel.listThreadParentComments(videoComment, undefined)
  const isPublic = true // Comments are always public
@@ -340,7 +348,8 @@ async function videoCommentController (req: express.Request, res: express.Respon
 async function videoRedundancyController (req: express.Request, res: express.Response) {
  const videoRedundancy = res.locals.videoRedundancy
-  if (videoRedundancy.url.startsWith(WEBSERVER.URL) === false) return res.redirect(videoRedundancy.url)
+  if (redirectIfNotOwned(videoRedundancy.url, res)) return
  const serverActor = await getServerActor()
@@ -358,6 +367,8 @@ async function videoRedundancyController (req: express.Request, res: express.Res
 async function videoPlaylistController (req: express.Request, res: express.Response) {
  const playlist = res.locals.videoPlaylistFull
+  if (redirectIfNotOwned(playlist.url, res)) return
  // We need more attributes
  playlist.OwnerAccount = await AccountModel.load(playlist.ownerAccountId)
@@ -371,6 +382,8 @@ async function videoPlaylistController (req: express.Request, res: express.Respo
 function videoPlaylistElementController (req: express.Request, res: express.Response) {
  const videoPlaylistElement = res.locals.videoPlaylistElementAP
+  if (redirectIfNotOwned(videoPlaylistElement.url, res)) return
  const json = videoPlaylistElement.toActivityPubObject()
  return activityPubResponse(activityPubContextify(json), res)
 }
@@ -411,3 +424,12 @@ function videoRates (req: express.Request, rateType: VideoRateType, video: MVide
  }
  return activityPubCollectionPagination(url, handler, req.query.page)
 }
+function redirectIfNotOwned (url: string, res: express.Response) {
+  if (url.startsWith(WEBSERVER.URL) === false) {
+    res.redirect(url)
+    return true
+  }
+  return false
+}

diff --git a/server/controllers/activitypub/client.ts b/server/controllers/activitypub/client.ts index d85d0aa5f..71a5b6232 100644 --- a/server/controllers/activitypub/client.ts +++ b/server/controllers/activitypub/client.ts
@@ -1,8 +1,7 @@
1	import * as cors from 'cors'	1	import * as cors from 'cors'
2	import * as express from 'express'	2	import * as express from 'express'
3	import { getRateUrl } from '@server/lib/activitypub/video-rates'
4	import { getServerActor } from '@server/models/application/application'	3	import { getServerActor } from '@server/models/application/application'
5	import { MAccountId, MActorId, MChannelId, MVideoId } from '@server/types/models'	4	import { MAccountId, MActorId, MChannelId, MVideoId, MVideoUrl } from '@server/types/models'
6	import { VideoPrivacy, VideoRateType } from '../../../shared/models/videos'	5	import { VideoPrivacy, VideoRateType } from '../../../shared/models/videos'
7	import { VideoPlaylistPrivacy } from '../../../shared/models/videos/playlist/video-playlist-privacy.model'	6	import { VideoPlaylistPrivacy } from '../../../shared/models/videos/playlist/video-playlist-privacy.model'
8	import { activityPubCollectionPagination, activityPubContextify } from '../../helpers/activitypub'	7	import { activityPubCollectionPagination, activityPubContextify } from '../../helpers/activitypub'
@@ -12,10 +11,10 @@ import { buildAnnounceWithVideoAudience, buildLikeActivity } from '../../lib/act
12	import { buildCreateActivity } from '../../lib/activitypub/send/send-create'	11	import { buildCreateActivity } from '../../lib/activitypub/send/send-create'
13	import { buildDislikeActivity } from '../../lib/activitypub/send/send-dislike'	12	import { buildDislikeActivity } from '../../lib/activitypub/send/send-dislike'
14	import {	13	import {
15	getVideoCommentsActivityPubUrl,	14	getLocalVideoCommentsActivityPubUrl,
16	getVideoDislikesActivityPubUrl,	15	getLocalVideoDislikesActivityPubUrl,
17	getVideoLikesActivityPubUrl,	16	getLocalVideoLikesActivityPubUrl,
18	getVideoSharesActivityPubUrl	17	getLocalVideoSharesActivityPubUrl
19	} from '../../lib/activitypub/url'	18	} from '../../lib/activitypub/url'
20	import {	19	import {
21	asyncMiddleware,	20	asyncMiddleware,
@@ -212,10 +211,9 @@ function getAccountVideoRateFactory (rateType: VideoRateType) {
212	const accountVideoRate = res.locals.accountVideoRate	211	const accountVideoRate = res.locals.accountVideoRate
213		212
214	const byActor = accountVideoRate.Account.Actor	213	const byActor = accountVideoRate.Account.Actor
215	const url = getRateUrl(rateType, byActor, accountVideoRate.Video)
216	const APObject = rateType === 'like'	214	const APObject = rateType === 'like'
217	? buildLikeActivity(url, byActor, accountVideoRate.Video)	215	? buildLikeActivity(accountVideoRate.url, byActor, accountVideoRate.Video)
218	: buildDislikeActivity(url, byActor, accountVideoRate.Video)	216	: buildDislikeActivity(accountVideoRate.url, byActor, accountVideoRate.Video)
219		217
220	return activityPubResponse(activityPubContextify(APObject), res)	218	return activityPubResponse(activityPubContextify(APObject), res)
221	}	219	}
@@ -225,7 +223,7 @@ async function videoController (req: express.Request, res: express.Response) {
225	// We need more attributes	223	// We need more attributes
226	const video = await VideoModel.loadAndPopulateAccountAndServerAndTags(res.locals.onlyVideoWithRights.id)	224	const video = await VideoModel.loadAndPopulateAccountAndServerAndTags(res.locals.onlyVideoWithRights.id)
227		225
228	if (video.url.startsWith(WEBSERVER.URL) === false) return res.redirect(video.url)	226	if (redirectIfNotOwned(video.url, res)) return
229		227
230	// We need captions to render AP object	228	// We need captions to render AP object
231	const captions = await VideoCaptionModel.listVideoCaptions(video.id)	229	const captions = await VideoCaptionModel.listVideoCaptions(video.id)
@@ -245,7 +243,7 @@ async function videoController (req: express.Request, res: express.Response) {
245	async function videoAnnounceController (req: express.Request, res: express.Response) {	243	async function videoAnnounceController (req: express.Request, res: express.Response) {
246	const share = res.locals.videoShare	244	const share = res.locals.videoShare
247		245
248	if (share.url.startsWith(WEBSERVER.URL) === false) return res.redirect(share.url)	246	if (redirectIfNotOwned(share.url, res)) return
249		247
250	const { activity } = await buildAnnounceWithVideoAudience(share.Actor, share, res.locals.videoAll, undefined)	248	const { activity } = await buildAnnounceWithVideoAudience(share.Actor, share, res.locals.videoAll, undefined)
251		249
@@ -255,6 +253,8 @@ async function videoAnnounceController (req: express.Request, res: express.Respo
255	async function videoAnnouncesController (req: express.Request, res: express.Response) {	253	async function videoAnnouncesController (req: express.Request, res: express.Response) {
256	const video = res.locals.onlyImmutableVideo	254	const video = res.locals.onlyImmutableVideo
257		255
		256	if (redirectIfNotOwned(video.url, res)) return
		257
258	const handler = async (start: number, count: number) => {	258	const handler = async (start: number, count: number) => {
259	const result = await VideoShareModel.listAndCountByVideoId(video.id, start, count)	259	const result = await VideoShareModel.listAndCountByVideoId(video.id, start, count)
260	return {	260	return {
@@ -262,21 +262,27 @@ async function videoAnnouncesController (req: express.Request, res: express.Resp
262	data: result.rows.map(r => r.url)	262	data: result.rows.map(r => r.url)
263	}	263	}
264	}	264	}
265	const json = await activityPubCollectionPagination(getVideoSharesActivityPubUrl(video), handler, req.query.page)	265	const json = await activityPubCollectionPagination(getLocalVideoSharesActivityPubUrl(video), handler, req.query.page)
266		266
267	return activityPubResponse(activityPubContextify(json), res)	267	return activityPubResponse(activityPubContextify(json), res)
268	}	268	}
269		269
270	async function videoLikesController (req: express.Request, res: express.Response) {	270	async function videoLikesController (req: express.Request, res: express.Response) {
271	const video = res.locals.onlyImmutableVideo	271	const video = res.locals.onlyImmutableVideo
272	const json = await videoRates(req, 'like', video, getVideoLikesActivityPubUrl(video))	272
		273	if (redirectIfNotOwned(video.url, res)) return
		274
		275	const json = await videoRates(req, 'like', video, getLocalVideoLikesActivityPubUrl(video))
273		276
274	return activityPubResponse(activityPubContextify(json), res)	277	return activityPubResponse(activityPubContextify(json), res)
275	}	278	}
276		279
277	async function videoDislikesController (req: express.Request, res: express.Response) {	280	async function videoDislikesController (req: express.Request, res: express.Response) {
278	const video = res.locals.onlyImmutableVideo	281	const video = res.locals.onlyImmutableVideo
279	const json = await videoRates(req, 'dislike', video, getVideoDislikesActivityPubUrl(video))	282
		283	if (redirectIfNotOwned(video.url, res)) return
		284
		285	const json = await videoRates(req, 'dislike', video, getLocalVideoDislikesActivityPubUrl(video))
280		286
281	return activityPubResponse(activityPubContextify(json), res)	287	return activityPubResponse(activityPubContextify(json), res)
282	}	288	}
@@ -284,6 +290,8 @@ async function videoDislikesController (req: express.Request, res: express.Respo
284	async function videoCommentsController (req: express.Request, res: express.Response) {	290	async function videoCommentsController (req: express.Request, res: express.Response) {
285	const video = res.locals.onlyImmutableVideo	291	const video = res.locals.onlyImmutableVideo
286		292
		293	if (redirectIfNotOwned(video.url, res)) return
		294
287	const handler = async (start: number, count: number) => {	295	const handler = async (start: number, count: number) => {
288	const result = await VideoCommentModel.listAndCountByVideoForAP(video, start, count)	296	const result = await VideoCommentModel.listAndCountByVideoForAP(video, start, count)
289	return {	297	return {
@@ -291,7 +299,7 @@ async function videoCommentsController (req: express.Request, res: express.Respo
291	data: result.rows.map(r => r.url)	299	data: result.rows.map(r => r.url)
292	}	300	}
293	}	301	}
294	const json = await activityPubCollectionPagination(getVideoCommentsActivityPubUrl(video), handler, req.query.page)	302	const json = await activityPubCollectionPagination(getLocalVideoCommentsActivityPubUrl(video), handler, req.query.page)
295		303
296	return activityPubResponse(activityPubContextify(json), res)	304	return activityPubResponse(activityPubContextify(json), res)
297	}	305	}
@@ -319,7 +327,7 @@ async function videoChannelFollowingController (req: express.Request, res: expre
319	async function videoCommentController (req: express.Request, res: express.Response) {	327	async function videoCommentController (req: express.Request, res: express.Response) {
320	const videoComment = res.locals.videoCommentFull	328	const videoComment = res.locals.videoCommentFull
321		329
322	if (videoComment.url.startsWith(WEBSERVER.URL) === false) return res.redirect(videoComment.url)	330	if (redirectIfNotOwned(videoComment.url, res)) return
323		331
324	const threadParentComments = await VideoCommentModel.listThreadParentComments(videoComment, undefined)	332	const threadParentComments = await VideoCommentModel.listThreadParentComments(videoComment, undefined)
325	const isPublic = true // Comments are always public	333	const isPublic = true // Comments are always public
@@ -340,7 +348,8 @@ async function videoCommentController (req: express.Request, res: express.Respon
340		348
341	async function videoRedundancyController (req: express.Request, res: express.Response) {	349	async function videoRedundancyController (req: express.Request, res: express.Response) {
342	const videoRedundancy = res.locals.videoRedundancy	350	const videoRedundancy = res.locals.videoRedundancy
343	if (videoRedundancy.url.startsWith(WEBSERVER.URL) === false) return res.redirect(videoRedundancy.url)	351
		352	if (redirectIfNotOwned(videoRedundancy.url, res)) return
344		353
345	const serverActor = await getServerActor()	354	const serverActor = await getServerActor()
346		355
@@ -358,6 +367,8 @@ async function videoRedundancyController (req: express.Request, res: express.Res
358	async function videoPlaylistController (req: express.Request, res: express.Response) {	367	async function videoPlaylistController (req: express.Request, res: express.Response) {
359	const playlist = res.locals.videoPlaylistFull	368	const playlist = res.locals.videoPlaylistFull
360		369
		370	if (redirectIfNotOwned(playlist.url, res)) return
		371
361	// We need more attributes	372	// We need more attributes
362	playlist.OwnerAccount = await AccountModel.load(playlist.ownerAccountId)	373	playlist.OwnerAccount = await AccountModel.load(playlist.ownerAccountId)
363		374
@@ -371,6 +382,8 @@ async function videoPlaylistController (req: express.Request, res: express.Respo
371	function videoPlaylistElementController (req: express.Request, res: express.Response) {	382	function videoPlaylistElementController (req: express.Request, res: express.Response) {
372	const videoPlaylistElement = res.locals.videoPlaylistElementAP	383	const videoPlaylistElement = res.locals.videoPlaylistElementAP
373		384
		385	if (redirectIfNotOwned(videoPlaylistElement.url, res)) return
		386
374	const json = videoPlaylistElement.toActivityPubObject()	387	const json = videoPlaylistElement.toActivityPubObject()
375	return activityPubResponse(activityPubContextify(json), res)	388	return activityPubResponse(activityPubContextify(json), res)
376	}	389	}
@@ -411,3 +424,12 @@ function videoRates (req: express.Request, rateType: VideoRateType, video: MVide
411	}	424	}
412	return activityPubCollectionPagination(url, handler, req.query.page)	425	return activityPubCollectionPagination(url, handler, req.query.page)
413	}	426	}
		427
		428	function redirectIfNotOwned (url: string, res: express.Response) {
		429	if (url.startsWith(WEBSERVER.URL) === false) {
		430	res.redirect(url)
		431	return true
		432	}
		433
		434	return false
		435	}