aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares/validators/videos.ts
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares/validators/videos.ts')
-rw-r--r--server/middlewares/validators/videos.ts66
1 files changed, 35 insertions, 31 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index 9befbc9ee..67eabe468 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -41,6 +41,7 @@ import { checkUserCanTerminateOwnershipChange, doesChangeVideoOwnershipExist } f
41import { VideoChangeOwnershipAccept } from '../../../shared/models/videos/video-change-ownership-accept.model' 41import { VideoChangeOwnershipAccept } from '../../../shared/models/videos/video-change-ownership-accept.model'
42import { VideoChangeOwnershipModel } from '../../models/video/video-change-ownership' 42import { VideoChangeOwnershipModel } from '../../models/video/video-change-ownership'
43import { AccountModel } from '../../models/account/account' 43import { AccountModel } from '../../models/account/account'
44import { VideoFetchType } from '../../helpers/video'
44 45
45const videosAddValidator = getCommonVideoAttributes().concat([ 46const videosAddValidator = getCommonVideoAttributes().concat([
46 body('videofile') 47 body('videofile')
@@ -128,47 +129,49 @@ const videosUpdateValidator = getCommonVideoAttributes().concat([
128 } 129 }
129]) 130])
130 131
131const videosGetValidator = [ 132const videosCustomGetValidator = (fetchType: VideoFetchType) => {
132 param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), 133 return [
133 134 param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
134 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
135 logger.debug('Checking videosGet parameters', { parameters: req.params })
136 135
137 if (areValidationErrors(req, res)) return 136 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
138 if (!await isVideoExist(req.params.id, res)) return 137 logger.debug('Checking videosGet parameters', { parameters: req.params })
139 138
140 const video: VideoModel = res.locals.video 139 if (areValidationErrors(req, res)) return
140 if (!await isVideoExist(req.params.id, res, fetchType)) return
141 141
142 // Video private or blacklisted 142 const video: VideoModel = res.locals.video
143 if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) {
144 return authenticate(req, res, () => {
145 const user: UserModel = res.locals.oauth.token.User
146 143
147 // Only the owner or a user that have blacklist rights can see the video 144 // Video private or blacklisted
148 if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) { 145 if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) {
149 return res.status(403) 146 return authenticate(req, res, () => {
150 .json({ error: 'Cannot get this private or blacklisted video.' }) 147 const user: UserModel = res.locals.oauth.token.User
151 .end()
152 }
153 148
154 return next() 149 // Only the owner or a user that have blacklist rights can see the video
155 }) 150 if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) {
151 return res.status(403)
152 .json({ error: 'Cannot get this private or blacklisted video.' })
153 .end()
154 }
156 155
157 return 156 return next()
158 } 157 })
158 }
159 159
160 // Video is public, anyone can access it 160 // Video is public, anyone can access it
161 if (video.privacy === VideoPrivacy.PUBLIC) return next() 161 if (video.privacy === VideoPrivacy.PUBLIC) return next()
162 162
163 // Video is unlisted, check we used the uuid to fetch it 163 // Video is unlisted, check we used the uuid to fetch it
164 if (video.privacy === VideoPrivacy.UNLISTED) { 164 if (video.privacy === VideoPrivacy.UNLISTED) {
165 if (isUUIDValid(req.params.id)) return next() 165 if (isUUIDValid(req.params.id)) return next()
166 166
167 // Don't leak this unlisted video 167 // Don't leak this unlisted video
168 return res.status(404).end() 168 return res.status(404).end()
169 }
169 } 170 }
170 } 171 ]
171] 172}
173
174const videosGetValidator = videosCustomGetValidator('all')
172 175
173const videosRemoveValidator = [ 176const videosRemoveValidator = [
174 param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), 177 param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
@@ -366,6 +369,7 @@ export {
366 videosAddValidator, 369 videosAddValidator,
367 videosUpdateValidator, 370 videosUpdateValidator,
368 videosGetValidator, 371 videosGetValidator,
372 videosCustomGetValidator,
369 videosRemoveValidator, 373 videosRemoveValidator,
370 videosShareValidator, 374 videosShareValidator,
371 375