1 files changed, 35 insertions, 31 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index 9befbc9ee..67eabe468 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -41,6 +41,7 @@ import { checkUserCanTerminateOwnershipChange, doesChangeVideoOwnershipExist } f
 import { VideoChangeOwnershipAccept } from '../../../shared/models/videos/video-change-ownership-accept.model'
 import { VideoChangeOwnershipModel } from '../../models/video/video-change-ownership'
 import { AccountModel } from '../../models/account/account'
+import { VideoFetchType } from '../../helpers/video'
 const videosAddValidator = getCommonVideoAttributes().concat([
  body('videofile')
@@ -128,47 +129,49 @@ const videosUpdateValidator = getCommonVideoAttributes().concat([
  }
 ])
-const videosGetValidator = [
+const videosCustomGetValidator = (fetchType: VideoFetchType) => {
-  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
+  return [
+    param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
-  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
-    logger.debug('Checking videosGet parameters', { parameters: req.params })
-    if (areValidationErrors(req, res)) return
+    async (req: express.Request, res: express.Response, next: express.NextFunction) => {
-    if (!await isVideoExist(req.params.id, res)) return
+      logger.debug('Checking videosGet parameters', { parameters: req.params })
-    const video: VideoModel = res.locals.video
+      if (areValidationErrors(req, res)) return
+      if (!await isVideoExist(req.params.id, res, fetchType)) return
-    // Video private or blacklisted
+      const video: VideoModel = res.locals.video
-    if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) {
-      return authenticate(req, res, () => {
-        const user: UserModel = res.locals.oauth.token.User
-        // Only the owner or a user that have blacklist rights can see the video
+      // Video private or blacklisted
-        if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) {
+      if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) {
-          return res.status(403)
+        return authenticate(req, res, () => {
-                    .json({ error: 'Cannot get this private or blacklisted video.' })
+          const user: UserModel = res.locals.oauth.token.User
-                    .end()
-        }
-        return next()
+          // Only the owner or a user that have blacklist rights can see the video
-      })
+          if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) {
+            return res.status(403)
+                      .json({ error: 'Cannot get this private or blacklisted video.' })
+                      .end()
+          }
-      return
+          return next()
-    }
+        })
+      }
-    // Video is public, anyone can access it
+      // Video is public, anyone can access it
-    if (video.privacy === VideoPrivacy.PUBLIC) return next()
+      if (video.privacy === VideoPrivacy.PUBLIC) return next()
-    // Video is unlisted, check we used the uuid to fetch it
+      // Video is unlisted, check we used the uuid to fetch it
-    if (video.privacy === VideoPrivacy.UNLISTED) {
+      if (video.privacy === VideoPrivacy.UNLISTED) {
-      if (isUUIDValid(req.params.id)) return next()
+        if (isUUIDValid(req.params.id)) return next()
-      // Don't leak this unlisted video
+        // Don't leak this unlisted video
-      return res.status(404).end()
+        return res.status(404).end()
+      }
    }
-  }
+  ]
-]
+}
+const videosGetValidator = videosCustomGetValidator('all')
 const videosRemoveValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
@@ -366,6 +369,7 @@ export {
  videosAddValidator,
  videosUpdateValidator,
  videosGetValidator,
+  videosCustomGetValidator,
  videosRemoveValidator,
  videosShareValidator,

diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index 9befbc9ee..67eabe468 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts
@@ -41,6 +41,7 @@ import { checkUserCanTerminateOwnershipChange, doesChangeVideoOwnershipExist } f
41	import { VideoChangeOwnershipAccept } from '../../../shared/models/videos/video-change-ownership-accept.model'	41	import { VideoChangeOwnershipAccept } from '../../../shared/models/videos/video-change-ownership-accept.model'
42	import { VideoChangeOwnershipModel } from '../../models/video/video-change-ownership'	42	import { VideoChangeOwnershipModel } from '../../models/video/video-change-ownership'
43	import { AccountModel } from '../../models/account/account'	43	import { AccountModel } from '../../models/account/account'
		44	import { VideoFetchType } from '../../helpers/video'
44		45
45	const videosAddValidator = getCommonVideoAttributes().concat([	46	const videosAddValidator = getCommonVideoAttributes().concat([
46	body('videofile')	47	body('videofile')
@@ -128,47 +129,49 @@ const videosUpdateValidator = getCommonVideoAttributes().concat([
128	}	129	}
129	])	130	])
130		131
131	const videosGetValidator = [	132	const videosCustomGetValidator = (fetchType: VideoFetchType) => {
132	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),	133	return [
133		134	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
134	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
135	logger.debug('Checking videosGet parameters', { parameters: req.params })
136		135
137	if (areValidationErrors(req, res)) return	136	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
138	if (!await isVideoExist(req.params.id, res)) return	137	logger.debug('Checking videosGet parameters', { parameters: req.params })
139		138
140	const video: VideoModel = res.locals.video	139	if (areValidationErrors(req, res)) return
		140	if (!await isVideoExist(req.params.id, res, fetchType)) return
141		141
142	// Video private or blacklisted	142	const video: VideoModel = res.locals.video
143	if (video.privacy === VideoPrivacy.PRIVATE \|\| video.VideoBlacklist) {
144	return authenticate(req, res, () => {
145	const user: UserModel = res.locals.oauth.token.User
146		143
147	// Only the owner or a user that have blacklist rights can see the video	144	// Video private or blacklisted
148	if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) {	145	if (video.privacy === VideoPrivacy.PRIVATE \|\| video.VideoBlacklist) {
149	return res.status(403)	146	return authenticate(req, res, () => {
150	.json({ error: 'Cannot get this private or blacklisted video.' })	147	const user: UserModel = res.locals.oauth.token.User
151	.end()
152	}
153		148
154	return next()	149	// Only the owner or a user that have blacklist rights can see the video
155	})	150	if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) {
		151	return res.status(403)
		152	.json({ error: 'Cannot get this private or blacklisted video.' })
		153	.end()
		154	}
156		155
157	return	156	return next()
158	}	157	})
		158	}
159		159
160	// Video is public, anyone can access it	160	// Video is public, anyone can access it
161	if (video.privacy === VideoPrivacy.PUBLIC) return next()	161	if (video.privacy === VideoPrivacy.PUBLIC) return next()
162		162
163	// Video is unlisted, check we used the uuid to fetch it	163	// Video is unlisted, check we used the uuid to fetch it
164	if (video.privacy === VideoPrivacy.UNLISTED) {	164	if (video.privacy === VideoPrivacy.UNLISTED) {
165	if (isUUIDValid(req.params.id)) return next()	165	if (isUUIDValid(req.params.id)) return next()
166		166
167	// Don't leak this unlisted video	167	// Don't leak this unlisted video
168	return res.status(404).end()	168	return res.status(404).end()
		169	}
169	}	170	}
170	}	171	]
171	]	172	}
		173
		174	const videosGetValidator = videosCustomGetValidator('all')
172		175
173	const videosRemoveValidator = [	176	const videosRemoveValidator = [
174	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),	177	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
@@ -366,6 +369,7 @@ export {
366	videosAddValidator,	369	videosAddValidator,
367	videosUpdateValidator,	370	videosUpdateValidator,
368	videosGetValidator,	371	videosGetValidator,
		372	videosCustomGetValidator,
369	videosRemoveValidator,	373	videosRemoveValidator,
370	videosShareValidator,	374	videosShareValidator,
371		375