diff options
Diffstat (limited to 'server/middlewares/validators')
-rw-r--r-- | server/middlewares/validators/videos/videos.ts | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts index be05b2a69..d51c86972 100644 --- a/server/middlewares/validators/videos/videos.ts +++ b/server/middlewares/validators/videos/videos.ts | |||
@@ -3,7 +3,7 @@ import { body, param, query, ValidationChain } from 'express-validator' | |||
3 | import { isAbleToUploadVideo } from '@server/lib/user' | 3 | import { isAbleToUploadVideo } from '@server/lib/user' |
4 | import { getServerActor } from '@server/models/application/application' | 4 | import { getServerActor } from '@server/models/application/application' |
5 | import { ExpressPromiseHandler } from '@server/types/express' | 5 | import { ExpressPromiseHandler } from '@server/types/express' |
6 | import { MVideoFullLight } from '@server/types/models' | 6 | import { MVideoFullLight, MVideoWithRights } from '@server/types/models' |
7 | import { ServerErrorCode, UserRight, VideoChangeOwnershipStatus, VideoPrivacy } from '../../../../shared' | 7 | import { ServerErrorCode, UserRight, VideoChangeOwnershipStatus, VideoPrivacy } from '../../../../shared' |
8 | import { HttpStatusCode } from '../../../../shared/core-utils/miscs/http-error-codes' | 8 | import { HttpStatusCode } from '../../../../shared/core-utils/miscs/http-error-codes' |
9 | import { VideoChangeOwnershipAccept } from '../../../../shared/models/videos/video-change-ownership-accept.model' | 9 | import { VideoChangeOwnershipAccept } from '../../../../shared/models/videos/video-change-ownership-accept.model' |
@@ -197,17 +197,16 @@ const videosCustomGetValidator = ( | |||
197 | // Controllers does not need to check video rights | 197 | // Controllers does not need to check video rights |
198 | if (fetchType === 'only-immutable-attributes') return next() | 198 | if (fetchType === 'only-immutable-attributes') return next() |
199 | 199 | ||
200 | const video = getVideoWithAttributes(res) | 200 | const video = getVideoWithAttributes(res) as MVideoWithRights |
201 | const videoAll = video as MVideoFullLight | ||
202 | 201 | ||
203 | // Video private or blacklisted | 202 | // Video private or blacklisted |
204 | if (videoAll.requiresAuth()) { | 203 | if (video.requiresAuth()) { |
205 | await authenticatePromiseIfNeeded(req, res, authenticateInQuery) | 204 | await authenticatePromiseIfNeeded(req, res, authenticateInQuery) |
206 | 205 | ||
207 | const user = res.locals.oauth ? res.locals.oauth.token.User : null | 206 | const user = res.locals.oauth ? res.locals.oauth.token.User : null |
208 | 207 | ||
209 | // Only the owner or a user that have blacklist rights can see the video | 208 | // Only the owner or a user that have blacklist rights can see the video |
210 | if (!user || !user.canGetVideo(videoAll)) { | 209 | if (!user || !user.canGetVideo(video)) { |
211 | return res.status(HttpStatusCode.FORBIDDEN_403) | 210 | return res.status(HttpStatusCode.FORBIDDEN_403) |
212 | .json({ error: 'Cannot get this private/internal or blacklisted video.' }) | 211 | .json({ error: 'Cannot get this private/internal or blacklisted video.' }) |
213 | } | 212 | } |