aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares/validators/videos
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares/validators/videos')
-rw-r--r--server/middlewares/validators/videos/video-captions.ts22
-rw-r--r--server/middlewares/validators/videos/videos.ts19
2 files changed, 25 insertions, 16 deletions
diff --git a/server/middlewares/validators/videos/video-captions.ts b/server/middlewares/validators/videos/video-captions.ts
index 38321ccf9..4fc4c8ec5 100644
--- a/server/middlewares/validators/videos/video-captions.ts
+++ b/server/middlewares/validators/videos/video-captions.ts
@@ -1,11 +1,18 @@
1import express from 'express' 1import express from 'express'
2import { body, param } from 'express-validator' 2import { body, param } from 'express-validator'
3import { UserRight } from '../../../../shared' 3import { HttpStatusCode, UserRight } from '../../../../shared'
4import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions' 4import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions'
5import { cleanUpReqFiles } from '../../../helpers/express-utils' 5import { cleanUpReqFiles } from '../../../helpers/express-utils'
6import { logger } from '../../../helpers/logger' 6import { logger } from '../../../helpers/logger'
7import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants' 7import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants'
8import { areValidationErrors, checkUserCanManageVideo, doesVideoCaptionExist, doesVideoExist, isValidVideoIdParam } from '../shared' 8import {
9 areValidationErrors,
10 checkCanSeeVideoIfPrivate,
11 checkUserCanManageVideo,
12 doesVideoCaptionExist,
13 doesVideoExist,
14 isValidVideoIdParam
15} from '../shared'
9 16
10const addVideoCaptionValidator = [ 17const addVideoCaptionValidator = [
11 isValidVideoIdParam('videoId'), 18 isValidVideoIdParam('videoId'),
@@ -64,7 +71,16 @@ const listVideoCaptionsValidator = [
64 logger.debug('Checking listVideoCaptions parameters', { parameters: req.params }) 71 logger.debug('Checking listVideoCaptions parameters', { parameters: req.params })
65 72
66 if (areValidationErrors(req, res)) return 73 if (areValidationErrors(req, res)) return
67 if (!await doesVideoExist(req.params.videoId, res, 'id')) return 74 if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
75
76 const video = res.locals.onlyVideo
77
78 if (!await checkCanSeeVideoIfPrivate(req, res, video)) {
79 return res.fail({
80 status: HttpStatusCode.FORBIDDEN_403,
81 message: 'Cannot list captions of private/internal/blocklisted video'
82 })
83 }
68 84
69 return next() 85 return next()
70 } 86 }
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index 3ebdbc33d..782f495e8 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -51,9 +51,9 @@ import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants'
51import { isLocalVideoAccepted } from '../../../lib/moderation' 51import { isLocalVideoAccepted } from '../../../lib/moderation'
52import { Hooks } from '../../../lib/plugins/hooks' 52import { Hooks } from '../../../lib/plugins/hooks'
53import { VideoModel } from '../../../models/video/video' 53import { VideoModel } from '../../../models/video/video'
54import { authenticatePromiseIfNeeded } from '../../auth'
55import { 54import {
56 areValidationErrors, 55 areValidationErrors,
56 checkCanSeePrivateVideo,
57 checkUserCanManageVideo, 57 checkUserCanManageVideo,
58 doesVideoChannelOfAccountExist, 58 doesVideoChannelOfAccountExist,
59 doesVideoExist, 59 doesVideoExist,
@@ -317,19 +317,12 @@ const videosCustomGetValidator = (
317 317
318 // Video private or blacklisted 318 // Video private or blacklisted
319 if (video.requiresAuth()) { 319 if (video.requiresAuth()) {
320 await authenticatePromiseIfNeeded(req, res, authenticateInQuery) 320 if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) return next()
321 321
322 const user = res.locals.oauth ? res.locals.oauth.token.User : null 322 return res.fail({
323 323 status: HttpStatusCode.FORBIDDEN_403,
324 // Only the owner or a user that have blocklist rights can see the video 324 message: 'Cannot get this private/internal or blocklisted video'
325 if (!user || !user.canGetVideo(video)) { 325 })
326 return res.fail({
327 status: HttpStatusCode.FORBIDDEN_403,
328 message: 'Cannot get this private/internal or blocklisted video'
329 })
330 }
331
332 return next()
333 } 326 }
334 327
335 // Video is public, anyone can access it 328 // Video is public, anyone can access it