diff options
Diffstat (limited to 'server/middlewares/validators/videos.ts')
-rw-r--r-- | server/middlewares/validators/videos.ts | 66 |
1 files changed, 35 insertions, 31 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index 9befbc9ee..67eabe468 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts | |||
@@ -41,6 +41,7 @@ import { checkUserCanTerminateOwnershipChange, doesChangeVideoOwnershipExist } f | |||
41 | import { VideoChangeOwnershipAccept } from '../../../shared/models/videos/video-change-ownership-accept.model' | 41 | import { VideoChangeOwnershipAccept } from '../../../shared/models/videos/video-change-ownership-accept.model' |
42 | import { VideoChangeOwnershipModel } from '../../models/video/video-change-ownership' | 42 | import { VideoChangeOwnershipModel } from '../../models/video/video-change-ownership' |
43 | import { AccountModel } from '../../models/account/account' | 43 | import { AccountModel } from '../../models/account/account' |
44 | import { VideoFetchType } from '../../helpers/video' | ||
44 | 45 | ||
45 | const videosAddValidator = getCommonVideoAttributes().concat([ | 46 | const videosAddValidator = getCommonVideoAttributes().concat([ |
46 | body('videofile') | 47 | body('videofile') |
@@ -128,47 +129,49 @@ const videosUpdateValidator = getCommonVideoAttributes().concat([ | |||
128 | } | 129 | } |
129 | ]) | 130 | ]) |
130 | 131 | ||
131 | const videosGetValidator = [ | 132 | const videosCustomGetValidator = (fetchType: VideoFetchType) => { |
132 | param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), | 133 | return [ |
133 | 134 | param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), | |
134 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | ||
135 | logger.debug('Checking videosGet parameters', { parameters: req.params }) | ||
136 | 135 | ||
137 | if (areValidationErrors(req, res)) return | 136 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { |
138 | if (!await isVideoExist(req.params.id, res)) return | 137 | logger.debug('Checking videosGet parameters', { parameters: req.params }) |
139 | 138 | ||
140 | const video: VideoModel = res.locals.video | 139 | if (areValidationErrors(req, res)) return |
140 | if (!await isVideoExist(req.params.id, res, fetchType)) return | ||
141 | 141 | ||
142 | // Video private or blacklisted | 142 | const video: VideoModel = res.locals.video |
143 | if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) { | ||
144 | return authenticate(req, res, () => { | ||
145 | const user: UserModel = res.locals.oauth.token.User | ||
146 | 143 | ||
147 | // Only the owner or a user that have blacklist rights can see the video | 144 | // Video private or blacklisted |
148 | if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) { | 145 | if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) { |
149 | return res.status(403) | 146 | return authenticate(req, res, () => { |
150 | .json({ error: 'Cannot get this private or blacklisted video.' }) | 147 | const user: UserModel = res.locals.oauth.token.User |
151 | .end() | ||
152 | } | ||
153 | 148 | ||
154 | return next() | 149 | // Only the owner or a user that have blacklist rights can see the video |
155 | }) | 150 | if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) { |
151 | return res.status(403) | ||
152 | .json({ error: 'Cannot get this private or blacklisted video.' }) | ||
153 | .end() | ||
154 | } | ||
156 | 155 | ||
157 | return | 156 | return next() |
158 | } | 157 | }) |
158 | } | ||
159 | 159 | ||
160 | // Video is public, anyone can access it | 160 | // Video is public, anyone can access it |
161 | if (video.privacy === VideoPrivacy.PUBLIC) return next() | 161 | if (video.privacy === VideoPrivacy.PUBLIC) return next() |
162 | 162 | ||
163 | // Video is unlisted, check we used the uuid to fetch it | 163 | // Video is unlisted, check we used the uuid to fetch it |
164 | if (video.privacy === VideoPrivacy.UNLISTED) { | 164 | if (video.privacy === VideoPrivacy.UNLISTED) { |
165 | if (isUUIDValid(req.params.id)) return next() | 165 | if (isUUIDValid(req.params.id)) return next() |
166 | 166 | ||
167 | // Don't leak this unlisted video | 167 | // Don't leak this unlisted video |
168 | return res.status(404).end() | 168 | return res.status(404).end() |
169 | } | ||
169 | } | 170 | } |
170 | } | 171 | ] |
171 | ] | 172 | } |
173 | |||
174 | const videosGetValidator = videosCustomGetValidator('all') | ||
172 | 175 | ||
173 | const videosRemoveValidator = [ | 176 | const videosRemoveValidator = [ |
174 | param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), | 177 | param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), |
@@ -366,6 +369,7 @@ export { | |||
366 | videosAddValidator, | 369 | videosAddValidator, |
367 | videosUpdateValidator, | 370 | videosUpdateValidator, |
368 | videosGetValidator, | 371 | videosGetValidator, |
372 | videosCustomGetValidator, | ||
369 | videosRemoveValidator, | 373 | videosRemoveValidator, |
370 | videosShareValidator, | 374 | videosShareValidator, |
371 | 375 | ||