diff options
Diffstat (limited to 'server/middlewares/validators/videos/videos.ts')
| -rw-r--r-- | server/middlewares/validators/videos/videos.ts | 28 |
1 files changed, 4 insertions, 24 deletions
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts index c75c3640b..c6d31f8f0 100644 --- a/server/middlewares/validators/videos/videos.ts +++ b/server/middlewares/validators/videos/videos.ts | |||
| @@ -7,14 +7,13 @@ import { getServerActor } from '@server/models/application/application' | |||
| 7 | import { ExpressPromiseHandler } from '@server/types/express-handler' | 7 | import { ExpressPromiseHandler } from '@server/types/express-handler' |
| 8 | import { MUserAccountId, MVideoFullLight } from '@server/types/models' | 8 | import { MUserAccountId, MVideoFullLight } from '@server/types/models' |
| 9 | import { getAllPrivacies } from '@shared/core-utils' | 9 | import { getAllPrivacies } from '@shared/core-utils' |
| 10 | import { HttpStatusCode, ServerErrorCode, UserRight, VideoInclude, VideoPrivacy } from '@shared/models' | 10 | import { HttpStatusCode, ServerErrorCode, UserRight, VideoInclude } from '@shared/models' |
| 11 | import { | 11 | import { |
| 12 | exists, | 12 | exists, |
| 13 | isBooleanValid, | 13 | isBooleanValid, |
| 14 | isDateValid, | 14 | isDateValid, |
| 15 | isFileValid, | 15 | isFileValid, |
| 16 | isIdValid, | 16 | isIdValid, |
| 17 | isUUIDValid, | ||
| 18 | toArray, | 17 | toArray, |
| 19 | toBooleanOrNull, | 18 | toBooleanOrNull, |
| 20 | toIntOrNull, | 19 | toIntOrNull, |
| @@ -50,7 +49,7 @@ import { Hooks } from '../../../lib/plugins/hooks' | |||
| 50 | import { VideoModel } from '../../../models/video/video' | 49 | import { VideoModel } from '../../../models/video/video' |
| 51 | import { | 50 | import { |
| 52 | areValidationErrors, | 51 | areValidationErrors, |
| 53 | checkCanSeePrivateVideo, | 52 | checkCanSeeVideo, |
| 54 | checkUserCanManageVideo, | 53 | checkUserCanManageVideo, |
| 55 | checkUserQuota, | 54 | checkUserQuota, |
| 56 | doesVideoChannelOfAccountExist, | 55 | doesVideoChannelOfAccountExist, |
| @@ -297,28 +296,9 @@ const videosCustomGetValidator = ( | |||
| 297 | 296 | ||
| 298 | const video = getVideoWithAttributes(res) as MVideoFullLight | 297 | const video = getVideoWithAttributes(res) as MVideoFullLight |
| 299 | 298 | ||
| 300 | // Video private or blacklisted | 299 | if (!await checkCanSeeVideo({ req, res, video, paramId: req.params.id, authenticateInQuery })) return |
| 301 | if (video.requiresAuth()) { | ||
| 302 | if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) { | ||
| 303 | return next() | ||
| 304 | } | ||
| 305 | 300 | ||
| 306 | return | 301 | return next() |
| 307 | } | ||
| 308 | |||
| 309 | // Video is public, anyone can access it | ||
| 310 | if (video.privacy === VideoPrivacy.PUBLIC) return next() | ||
| 311 | |||
| 312 | // Video is unlisted, check we used the uuid to fetch it | ||
| 313 | if (video.privacy === VideoPrivacy.UNLISTED) { | ||
| 314 | if (isUUIDValid(req.params.id)) return next() | ||
| 315 | |||
| 316 | // Don't leak this unlisted video | ||
| 317 | return res.fail({ | ||
| 318 | status: HttpStatusCode.NOT_FOUND_404, | ||
| 319 | message: 'Video not found' | ||
| 320 | }) | ||
| 321 | } | ||
| 322 | } | 302 | } |
| 323 | ] | 303 | ] |
| 324 | } | 304 | } |