1 files changed, 6 insertions, 13 deletions
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index bf5f1c97b..3a1a905f3 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -49,9 +49,9 @@ import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants'
 import { isLocalVideoAccepted } from '../../../lib/moderation'
 import { Hooks } from '../../../lib/plugins/hooks'
 import { VideoModel } from '../../../models/video/video'
-import { authenticatePromiseIfNeeded } from '../../auth'
 import {
  areValidationErrors,
+  checkCanSeePrivateVideo,
  checkUserCanManageVideo,
  doesVideoChannelOfAccountExist,
  doesVideoExist,
@@ -315,19 +315,12 @@ const videosCustomGetValidator = (
      // Video private or blacklisted
      if (video.requiresAuth()) {
-        await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
+        if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) return next()
-        const user = res.locals.oauth ? res.locals.oauth.token.User : null
+        return res.fail({
+          status: HttpStatusCode.FORBIDDEN_403,
-        // Only the owner or a user that have blocklist rights can see the video
+          message: 'Cannot get this private/internal or blocklisted video'
-        if (!user || !user.canGetVideo(video)) {
+        })
-          return res.fail({
-            status: HttpStatusCode.FORBIDDEN_403,
-            message: 'Cannot get this private/internal or blocklisted video'
-          })
-        }
-        return next()
      }
      // Video is public, anyone can access it

diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts index bf5f1c97b..3a1a905f3 100644 --- a/server/middlewares/validators/videos/videos.ts +++ b/server/middlewares/validators/videos/videos.ts
@@ -49,9 +49,9 @@ import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants'
49	import { isLocalVideoAccepted } from '../../../lib/moderation'	49	import { isLocalVideoAccepted } from '../../../lib/moderation'
50	import { Hooks } from '../../../lib/plugins/hooks'	50	import { Hooks } from '../../../lib/plugins/hooks'
51	import { VideoModel } from '../../../models/video/video'	51	import { VideoModel } from '../../../models/video/video'
52	import { authenticatePromiseIfNeeded } from '../../auth'
53	import {	52	import {
54	areValidationErrors,	53	areValidationErrors,
		54	checkCanSeePrivateVideo,
55	checkUserCanManageVideo,	55	checkUserCanManageVideo,
56	doesVideoChannelOfAccountExist,	56	doesVideoChannelOfAccountExist,
57	doesVideoExist,	57	doesVideoExist,
@@ -315,19 +315,12 @@ const videosCustomGetValidator = (
315		315
316	// Video private or blacklisted	316	// Video private or blacklisted
317	if (video.requiresAuth()) {	317	if (video.requiresAuth()) {
318	await authenticatePromiseIfNeeded(req, res, authenticateInQuery)	318	if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) return next()
319		319
320	const user = res.locals.oauth ? res.locals.oauth.token.User : null	320	return res.fail({
321		321	status: HttpStatusCode.FORBIDDEN_403,
322	// Only the owner or a user that have blocklist rights can see the video	322	message: 'Cannot get this private/internal or blocklisted video'
323	if (!user \|\| !user.canGetVideo(video)) {	323	})
324	return res.fail({
325	status: HttpStatusCode.FORBIDDEN_403,
326	message: 'Cannot get this private/internal or blocklisted video'
327	})
328	}
329
330	return next()
331	}	324	}
332		325
333	// Video is public, anyone can access it	326	// Video is public, anyone can access it