diff options
Diffstat (limited to 'server/middlewares/validators/videos/videos.ts')
| -rw-r--r-- | server/middlewares/validators/videos/videos.ts | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts index ab984d84a..5e0182cc3 100644 --- a/server/middlewares/validators/videos/videos.ts +++ b/server/middlewares/validators/videos/videos.ts | |||
| @@ -161,18 +161,15 @@ const videosCustomGetValidator = (fetchType: 'all' | 'only-video' | 'only-video- | |||
| 161 | const videoAll = video as MVideoFullLight | 161 | const videoAll = video as MVideoFullLight |
| 162 | 162 | ||
| 163 | // Video private or blacklisted | 163 | // Video private or blacklisted |
| 164 | if (video.privacy === VideoPrivacy.PRIVATE || videoAll.VideoBlacklist) { | 164 | if (videoAll.requiresAuth()) { |
| 165 | await authenticatePromiseIfNeeded(req, res, authenticateInQuery) | 165 | await authenticatePromiseIfNeeded(req, res, authenticateInQuery) |
| 166 | 166 | ||
| 167 | const user = res.locals.oauth ? res.locals.oauth.token.User : null | 167 | const user = res.locals.oauth ? res.locals.oauth.token.User : null |
| 168 | 168 | ||
| 169 | // Only the owner or a user that have blacklist rights can see the video | 169 | // Only the owner or a user that have blacklist rights can see the video |
| 170 | if ( | 170 | if (!user || !user.canGetVideo(videoAll)) { |
| 171 | !user || | ||
| 172 | (videoAll.VideoChannel && videoAll.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) | ||
| 173 | ) { | ||
| 174 | return res.status(403) | 171 | return res.status(403) |
| 175 | .json({ error: 'Cannot get this private or blacklisted video.' }) | 172 | .json({ error: 'Cannot get this private/internal or blacklisted video.' }) |
| 176 | } | 173 | } |
| 177 | 174 | ||
| 178 | return next() | 175 | return next() |