1 files changed, 22 insertions, 1 deletions
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index 3ea8bdcbb..04e7b6973 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -9,7 +9,14 @@ import { logger } from '../../../helpers/logger'
 import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
 import { Hooks } from '../../../lib/plugins/hooks'
 import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
-import { areValidationErrors, doesVideoCommentExist, doesVideoCommentThreadExist, doesVideoExist, isValidVideoIdParam } from '../shared'
+import {
+  areValidationErrors,
+  checkCanSeeVideoIfPrivate,
+  doesVideoCommentExist,
+  doesVideoCommentThreadExist,
+  doesVideoExist,
+  isValidVideoIdParam
+} from '../shared'
 const listVideoCommentsValidator = [
  query('isLocal')
@@ -48,6 +55,13 @@ const listVideoCommentThreadsValidator = [
    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot list comments of private/internal/blocklisted video'
+      })
+    }
    return next()
  }
 ]
@@ -65,6 +79,13 @@ const listVideoThreadCommentsValidator = [
    if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
    if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot list threads of private/internal/blocklisted video'
+      })
+    }
    return next()
  }
 ]

diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts index 3ea8bdcbb..04e7b6973 100644 --- a/server/middlewares/validators/videos/video-comments.ts +++ b/server/middlewares/validators/videos/video-comments.ts
@@ -9,7 +9,14 @@ import { logger } from '../../../helpers/logger'
9	import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'	9	import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
10	import { Hooks } from '../../../lib/plugins/hooks'	10	import { Hooks } from '../../../lib/plugins/hooks'
11	import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'	11	import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
12	import { areValidationErrors, doesVideoCommentExist, doesVideoCommentThreadExist, doesVideoExist, isValidVideoIdParam } from '../shared'	12	import {
		13	areValidationErrors,
		14	checkCanSeeVideoIfPrivate,
		15	doesVideoCommentExist,
		16	doesVideoCommentThreadExist,
		17	doesVideoExist,
		18	isValidVideoIdParam
		19	} from '../shared'
13		20
14	const listVideoCommentsValidator = [	21	const listVideoCommentsValidator = [
15	query('isLocal')	22	query('isLocal')
@@ -48,6 +55,13 @@ const listVideoCommentThreadsValidator = [
48	if (areValidationErrors(req, res)) return	55	if (areValidationErrors(req, res)) return
49	if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return	56	if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
50		57
		58	if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
		59	return res.fail({
		60	status: HttpStatusCode.FORBIDDEN_403,
		61	message: 'Cannot list comments of private/internal/blocklisted video'
		62	})
		63	}
		64
51	return next()	65	return next()
52	}	66	}
53	]	67	]
@@ -65,6 +79,13 @@ const listVideoThreadCommentsValidator = [
65	if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return	79	if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
66	if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return	80	if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return
67		81
		82	if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
		83	return res.fail({
		84	status: HttpStatusCode.FORBIDDEN_403,
		85	message: 'Cannot list threads of private/internal/blocklisted video'
		86	})
		87	}
		88
68	return next()	89	return next()
69	}	90	}
70	]	91	]