diff options
Diffstat (limited to 'server/middlewares/validators')
| -rw-r--r-- | server/middlewares/validators/videos.ts | 33 |
1 files changed, 21 insertions, 12 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index 203a00876..77d601a4d 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts | |||
| @@ -35,6 +35,8 @@ import { VideoShareModel } from '../../models/video/video-share' | |||
| 35 | import { authenticate } from '../oauth' | 35 | import { authenticate } from '../oauth' |
| 36 | import { areValidationErrors } from './utils' | 36 | import { areValidationErrors } from './utils' |
| 37 | import { cleanUpReqFiles } from '../../helpers/utils' | 37 | import { cleanUpReqFiles } from '../../helpers/utils' |
| 38 | import { VideoModel } from '../../models/video/video' | ||
| 39 | import { UserModel } from '../../models/account/user' | ||
| 38 | 40 | ||
| 39 | const videosAddValidator = getCommonVideoAttributes().concat([ | 41 | const videosAddValidator = getCommonVideoAttributes().concat([ |
| 40 | body('videofile') | 42 | body('videofile') |
| @@ -131,7 +133,25 @@ const videosGetValidator = [ | |||
| 131 | if (areValidationErrors(req, res)) return | 133 | if (areValidationErrors(req, res)) return |
| 132 | if (!await isVideoExist(req.params.id, res)) return | 134 | if (!await isVideoExist(req.params.id, res)) return |
| 133 | 135 | ||
| 134 | const video = res.locals.video | 136 | const video: VideoModel = res.locals.video |
| 137 | |||
| 138 | // Video private or blacklisted | ||
| 139 | if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) { | ||
| 140 | authenticate(req, res, () => { | ||
| 141 | const user: UserModel = res.locals.oauth.token.User | ||
| 142 | |||
| 143 | // Only the owner or a user that have blacklist rights can see the video | ||
| 144 | if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) { | ||
| 145 | return res.status(403) | ||
| 146 | .json({ error: 'Cannot get this private or blacklisted video.' }) | ||
| 147 | .end() | ||
| 148 | } | ||
| 149 | |||
| 150 | return next() | ||
| 151 | }) | ||
| 152 | |||
| 153 | return | ||
| 154 | } | ||
| 135 | 155 | ||
| 136 | // Video is public, anyone can access it | 156 | // Video is public, anyone can access it |
| 137 | if (video.privacy === VideoPrivacy.PUBLIC) return next() | 157 | if (video.privacy === VideoPrivacy.PUBLIC) return next() |
| @@ -143,17 +163,6 @@ const videosGetValidator = [ | |||
| 143 | // Don't leak this unlisted video | 163 | // Don't leak this unlisted video |
| 144 | return res.status(404).end() | 164 | return res.status(404).end() |
| 145 | } | 165 | } |
| 146 | |||
| 147 | // Video is private, check the user | ||
| 148 | authenticate(req, res, () => { | ||
| 149 | if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) { | ||
| 150 | return res.status(403) | ||
| 151 | .json({ error: 'Cannot get this private video of another user' }) | ||
| 152 | .end() | ||
| 153 | } | ||
| 154 | |||
| 155 | return next() | ||
| 156 | }) | ||
| 157 | } | 166 | } |
| 158 | ] | 167 | ] |
| 159 | 168 | ||