2 files changed, 25 insertions, 16 deletions
diff --git a/server/middlewares/validators/videos/video-captions.ts b/server/middlewares/validators/videos/video-captions.ts
index 38321ccf9..4fc4c8ec5 100644
--- a/server/middlewares/validators/videos/video-captions.ts
+++ b/server/middlewares/validators/videos/video-captions.ts
@@ -1,11 +1,18 @@
 import express from 'express'
 import { body, param } from 'express-validator'
-import { UserRight } from '../../../../shared'
+import { HttpStatusCode, UserRight } from '../../../../shared'
 import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions'
 import { cleanUpReqFiles } from '../../../helpers/express-utils'
 import { logger } from '../../../helpers/logger'
 import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants'
-import { areValidationErrors, checkUserCanManageVideo, doesVideoCaptionExist, doesVideoExist, isValidVideoIdParam } from '../shared'
+import {
+  areValidationErrors,
+  checkCanSeeVideoIfPrivate,
+  checkUserCanManageVideo,
+  doesVideoCaptionExist,
+  doesVideoExist,
+  isValidVideoIdParam
+} from '../shared'
 const addVideoCaptionValidator = [
  isValidVideoIdParam('videoId'),
@@ -64,7 +71,16 @@ const listVideoCaptionsValidator = [
    logger.debug('Checking listVideoCaptions parameters', { parameters: req.params })
    if (areValidationErrors(req, res)) return
-    if (!await doesVideoExist(req.params.videoId, res, 'id')) return
+    if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
+    const video = res.locals.onlyVideo
+    if (!await checkCanSeeVideoIfPrivate(req, res, video)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot list captions of private/internal/blocklisted video'
+      })
+    }
    return next()
  }
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index 3ebdbc33d..782f495e8 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -51,9 +51,9 @@ import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants'
 import { isLocalVideoAccepted } from '../../../lib/moderation'
 import { Hooks } from '../../../lib/plugins/hooks'
 import { VideoModel } from '../../../models/video/video'
-import { authenticatePromiseIfNeeded } from '../../auth'
 import {
  areValidationErrors,
+  checkCanSeePrivateVideo,
  checkUserCanManageVideo,
  doesVideoChannelOfAccountExist,
  doesVideoExist,
@@ -317,19 +317,12 @@ const videosCustomGetValidator = (
      // Video private or blacklisted
      if (video.requiresAuth()) {
-        await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
+        if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) return next()
-        const user = res.locals.oauth ? res.locals.oauth.token.User : null
+        return res.fail({
+          status: HttpStatusCode.FORBIDDEN_403,
-        // Only the owner or a user that have blocklist rights can see the video
+          message: 'Cannot get this private/internal or blocklisted video'
-        if (!user || !user.canGetVideo(video)) {
+        })
-          return res.fail({
-            status: HttpStatusCode.FORBIDDEN_403,
-            message: 'Cannot get this private/internal or blocklisted video'
-          })
-        }
-        return next()
      }
      // Video is public, anyone can access it

diff --git a/server/middlewares/validators/videos/video-captions.ts b/server/middlewares/validators/videos/video-captions.ts index 38321ccf9..4fc4c8ec5 100644 --- a/server/middlewares/validators/videos/video-captions.ts +++ b/server/middlewares/validators/videos/video-captions.ts
@@ -1,11 +1,18 @@
1	import express from 'express'	1	import express from 'express'
2	import { body, param } from 'express-validator'	2	import { body, param } from 'express-validator'
3	import { UserRight } from '../../../../shared'	3	import { HttpStatusCode, UserRight } from '../../../../shared'
4	import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions'	4	import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions'
5	import { cleanUpReqFiles } from '../../../helpers/express-utils'	5	import { cleanUpReqFiles } from '../../../helpers/express-utils'
6	import { logger } from '../../../helpers/logger'	6	import { logger } from '../../../helpers/logger'
7	import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants'	7	import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants'
8	import { areValidationErrors, checkUserCanManageVideo, doesVideoCaptionExist, doesVideoExist, isValidVideoIdParam } from '../shared'	8	import {
		9	areValidationErrors,
		10	checkCanSeeVideoIfPrivate,
		11	checkUserCanManageVideo,
		12	doesVideoCaptionExist,
		13	doesVideoExist,
		14	isValidVideoIdParam
		15	} from '../shared'
9		16
10	const addVideoCaptionValidator = [	17	const addVideoCaptionValidator = [
11	isValidVideoIdParam('videoId'),	18	isValidVideoIdParam('videoId'),
@@ -64,7 +71,16 @@ const listVideoCaptionsValidator = [
64	logger.debug('Checking listVideoCaptions parameters', { parameters: req.params })	71	logger.debug('Checking listVideoCaptions parameters', { parameters: req.params })
65		72
66	if (areValidationErrors(req, res)) return	73	if (areValidationErrors(req, res)) return
67	if (!await doesVideoExist(req.params.videoId, res, 'id')) return	74	if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
		75
		76	const video = res.locals.onlyVideo
		77
		78	if (!await checkCanSeeVideoIfPrivate(req, res, video)) {
		79	return res.fail({
		80	status: HttpStatusCode.FORBIDDEN_403,
		81	message: 'Cannot list captions of private/internal/blocklisted video'
		82	})
		83	}
68		84
69	return next()	85	return next()
70	}	86	}


diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts index 3ebdbc33d..782f495e8 100644 --- a/server/middlewares/validators/videos/videos.ts +++ b/server/middlewares/validators/videos/videos.ts
@@ -51,9 +51,9 @@ import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants'
51	import { isLocalVideoAccepted } from '../../../lib/moderation'	51	import { isLocalVideoAccepted } from '../../../lib/moderation'
52	import { Hooks } from '../../../lib/plugins/hooks'	52	import { Hooks } from '../../../lib/plugins/hooks'
53	import { VideoModel } from '../../../models/video/video'	53	import { VideoModel } from '../../../models/video/video'
54	import { authenticatePromiseIfNeeded } from '../../auth'
55	import {	54	import {
56	areValidationErrors,	55	areValidationErrors,
		56	checkCanSeePrivateVideo,
57	checkUserCanManageVideo,	57	checkUserCanManageVideo,
58	doesVideoChannelOfAccountExist,	58	doesVideoChannelOfAccountExist,
59	doesVideoExist,	59	doesVideoExist,
@@ -317,19 +317,12 @@ const videosCustomGetValidator = (
317		317
318	// Video private or blacklisted	318	// Video private or blacklisted
319	if (video.requiresAuth()) {	319	if (video.requiresAuth()) {
320	await authenticatePromiseIfNeeded(req, res, authenticateInQuery)	320	if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) return next()
321		321
322	const user = res.locals.oauth ? res.locals.oauth.token.User : null	322	return res.fail({
323		323	status: HttpStatusCode.FORBIDDEN_403,
324	// Only the owner or a user that have blocklist rights can see the video	324	message: 'Cannot get this private/internal or blocklisted video'
325	if (!user \|\| !user.canGetVideo(video)) {	325	})
326	return res.fail({
327	status: HttpStatusCode.FORBIDDEN_403,
328	message: 'Cannot get this private/internal or blocklisted video'
329	})
330	}
331
332	return next()
333	}	326	}
334		327
335	// Video is public, anyone can access it	328	// Video is public, anyone can access it