diff options
Diffstat (limited to 'server/middlewares/validators/videos/videos.ts')
-rw-r--r-- | server/middlewares/validators/videos/videos.ts | 19 |
1 files changed, 6 insertions, 13 deletions
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts index bf5f1c97b..3a1a905f3 100644 --- a/server/middlewares/validators/videos/videos.ts +++ b/server/middlewares/validators/videos/videos.ts | |||
@@ -49,9 +49,9 @@ import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants' | |||
49 | import { isLocalVideoAccepted } from '../../../lib/moderation' | 49 | import { isLocalVideoAccepted } from '../../../lib/moderation' |
50 | import { Hooks } from '../../../lib/plugins/hooks' | 50 | import { Hooks } from '../../../lib/plugins/hooks' |
51 | import { VideoModel } from '../../../models/video/video' | 51 | import { VideoModel } from '../../../models/video/video' |
52 | import { authenticatePromiseIfNeeded } from '../../auth' | ||
53 | import { | 52 | import { |
54 | areValidationErrors, | 53 | areValidationErrors, |
54 | checkCanSeePrivateVideo, | ||
55 | checkUserCanManageVideo, | 55 | checkUserCanManageVideo, |
56 | doesVideoChannelOfAccountExist, | 56 | doesVideoChannelOfAccountExist, |
57 | doesVideoExist, | 57 | doesVideoExist, |
@@ -315,19 +315,12 @@ const videosCustomGetValidator = ( | |||
315 | 315 | ||
316 | // Video private or blacklisted | 316 | // Video private or blacklisted |
317 | if (video.requiresAuth()) { | 317 | if (video.requiresAuth()) { |
318 | await authenticatePromiseIfNeeded(req, res, authenticateInQuery) | 318 | if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) return next() |
319 | 319 | ||
320 | const user = res.locals.oauth ? res.locals.oauth.token.User : null | 320 | return res.fail({ |
321 | 321 | status: HttpStatusCode.FORBIDDEN_403, | |
322 | // Only the owner or a user that have blocklist rights can see the video | 322 | message: 'Cannot get this private/internal or blocklisted video' |
323 | if (!user || !user.canGetVideo(video)) { | 323 | }) |
324 | return res.fail({ | ||
325 | status: HttpStatusCode.FORBIDDEN_403, | ||
326 | message: 'Cannot get this private/internal or blocklisted video' | ||
327 | }) | ||
328 | } | ||
329 | |||
330 | return next() | ||
331 | } | 324 | } |
332 | 325 | ||
333 | // Video is public, anyone can access it | 326 | // Video is public, anyone can access it |