2 files changed, 37 insertions, 33 deletions
diff --git a/server/middlewares/validators/video-comments.ts b/server/middlewares/validators/video-comments.ts
index 4b15eed23..693852499 100644
--- a/server/middlewares/validators/video-comments.ts
+++ b/server/middlewares/validators/video-comments.ts
@@ -78,7 +78,7 @@ const videoCommentGetValidator = [
    logger.debug('Checking videoCommentGetValidator parameters.', { parameters: req.params })
    if (areValidationErrors(req, res)) return
-    if (!await isVideoExist(req.params.videoId, res)) return
+    if (!await isVideoExist(req.params.videoId, res, 'id')) return
    if (!await isVideoCommentExist(req.params.commentId, res.locals.video, res)) return
    return next()
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index 9befbc9ee..8aa7b3a39 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -26,7 +26,8 @@ import {
  isVideoPrivacyValid,
  isVideoRatingTypeValid,
  isVideoSupportValid,
-  isVideoTagsValid
+  isVideoTagsValid,
+  VideoFetchType
 } from '../../helpers/custom-validators/videos'
 import { getDurationFromVideoFile } from '../../helpers/ffmpeg-utils'
 import { logger } from '../../helpers/logger'
@@ -128,47 +129,49 @@ const videosUpdateValidator = getCommonVideoAttributes().concat([
  }
 ])
-const videosGetValidator = [
+const videosCustomGetValidator = (fetchType: VideoFetchType) => {
-  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
+  return [
+    param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
-  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
-    logger.debug('Checking videosGet parameters', { parameters: req.params })
-    if (areValidationErrors(req, res)) return
+    async (req: express.Request, res: express.Response, next: express.NextFunction) => {
-    if (!await isVideoExist(req.params.id, res)) return
+      logger.debug('Checking videosGet parameters', { parameters: req.params })
-    const video: VideoModel = res.locals.video
+      if (areValidationErrors(req, res)) return
+      if (!await isVideoExist(req.params.id, res, fetchType)) return
-    // Video private or blacklisted
+      const video: VideoModel = res.locals.video
-    if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) {
-      return authenticate(req, res, () => {
-        const user: UserModel = res.locals.oauth.token.User
-        // Only the owner or a user that have blacklist rights can see the video
+      // Video private or blacklisted
-        if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) {
+      if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) {
-          return res.status(403)
+        return authenticate(req, res, () => {
-                    .json({ error: 'Cannot get this private or blacklisted video.' })
+          const user: UserModel = res.locals.oauth.token.User
-                    .end()
-        }
-        return next()
+          // Only the owner or a user that have blacklist rights can see the video
-      })
+          if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) {
+            return res.status(403)
+                      .json({ error: 'Cannot get this private or blacklisted video.' })
+                      .end()
+          }
-      return
+          return next()
-    }
+        })
+      }
-    // Video is public, anyone can access it
+      // Video is public, anyone can access it
-    if (video.privacy === VideoPrivacy.PUBLIC) return next()
+      if (video.privacy === VideoPrivacy.PUBLIC) return next()
-    // Video is unlisted, check we used the uuid to fetch it
+      // Video is unlisted, check we used the uuid to fetch it
-    if (video.privacy === VideoPrivacy.UNLISTED) {
+      if (video.privacy === VideoPrivacy.UNLISTED) {
-      if (isUUIDValid(req.params.id)) return next()
+        if (isUUIDValid(req.params.id)) return next()
-      // Don't leak this unlisted video
+        // Don't leak this unlisted video
-      return res.status(404).end()
+        return res.status(404).end()
+      }
    }
-  }
+  ]
-]
+}
+const videosGetValidator = videosCustomGetValidator('all')
 const videosRemoveValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
@@ -366,6 +369,7 @@ export {
  videosAddValidator,
  videosUpdateValidator,
  videosGetValidator,
+  videosCustomGetValidator,
  videosRemoveValidator,
  videosShareValidator,

diff --git a/server/middlewares/validators/video-comments.ts b/server/middlewares/validators/video-comments.ts index 4b15eed23..693852499 100644 --- a/server/middlewares/validators/video-comments.ts +++ b/server/middlewares/validators/video-comments.ts
@@ -78,7 +78,7 @@ const videoCommentGetValidator = [
78	logger.debug('Checking videoCommentGetValidator parameters.', { parameters: req.params })	78	logger.debug('Checking videoCommentGetValidator parameters.', { parameters: req.params })
79		79
80	if (areValidationErrors(req, res)) return	80	if (areValidationErrors(req, res)) return
81	if (!await isVideoExist(req.params.videoId, res)) return	81	if (!await isVideoExist(req.params.videoId, res, 'id')) return
82	if (!await isVideoCommentExist(req.params.commentId, res.locals.video, res)) return	82	if (!await isVideoCommentExist(req.params.commentId, res.locals.video, res)) return
83		83
84	return next()	84	return next()


diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index 9befbc9ee..8aa7b3a39 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts
@@ -26,7 +26,8 @@ import {
26	isVideoPrivacyValid,	26	isVideoPrivacyValid,
27	isVideoRatingTypeValid,	27	isVideoRatingTypeValid,
28	isVideoSupportValid,	28	isVideoSupportValid,
29	isVideoTagsValid	29	isVideoTagsValid,
		30	VideoFetchType
30	} from '../../helpers/custom-validators/videos'	31	} from '../../helpers/custom-validators/videos'
31	import { getDurationFromVideoFile } from '../../helpers/ffmpeg-utils'	32	import { getDurationFromVideoFile } from '../../helpers/ffmpeg-utils'
32	import { logger } from '../../helpers/logger'	33	import { logger } from '../../helpers/logger'
@@ -128,47 +129,49 @@ const videosUpdateValidator = getCommonVideoAttributes().concat([
128	}	129	}
129	])	130	])
130		131
131	const videosGetValidator = [	132	const videosCustomGetValidator = (fetchType: VideoFetchType) => {
132	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),	133	return [
133		134	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
134	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
135	logger.debug('Checking videosGet parameters', { parameters: req.params })
136		135
137	if (areValidationErrors(req, res)) return	136	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
138	if (!await isVideoExist(req.params.id, res)) return	137	logger.debug('Checking videosGet parameters', { parameters: req.params })
139		138
140	const video: VideoModel = res.locals.video	139	if (areValidationErrors(req, res)) return
		140	if (!await isVideoExist(req.params.id, res, fetchType)) return
141		141
142	// Video private or blacklisted	142	const video: VideoModel = res.locals.video
143	if (video.privacy === VideoPrivacy.PRIVATE \|\| video.VideoBlacklist) {
144	return authenticate(req, res, () => {
145	const user: UserModel = res.locals.oauth.token.User
146		143
147	// Only the owner or a user that have blacklist rights can see the video	144	// Video private or blacklisted
148	if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) {	145	if (video.privacy === VideoPrivacy.PRIVATE \|\| video.VideoBlacklist) {
149	return res.status(403)	146	return authenticate(req, res, () => {
150	.json({ error: 'Cannot get this private or blacklisted video.' })	147	const user: UserModel = res.locals.oauth.token.User
151	.end()
152	}
153		148
154	return next()	149	// Only the owner or a user that have blacklist rights can see the video
155	})	150	if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) {
		151	return res.status(403)
		152	.json({ error: 'Cannot get this private or blacklisted video.' })
		153	.end()
		154	}
156		155
157	return	156	return next()
158	}	157	})
		158	}
159		159
160	// Video is public, anyone can access it	160	// Video is public, anyone can access it
161	if (video.privacy === VideoPrivacy.PUBLIC) return next()	161	if (video.privacy === VideoPrivacy.PUBLIC) return next()
162		162
163	// Video is unlisted, check we used the uuid to fetch it	163	// Video is unlisted, check we used the uuid to fetch it
164	if (video.privacy === VideoPrivacy.UNLISTED) {	164	if (video.privacy === VideoPrivacy.UNLISTED) {
165	if (isUUIDValid(req.params.id)) return next()	165	if (isUUIDValid(req.params.id)) return next()
166		166
167	// Don't leak this unlisted video	167	// Don't leak this unlisted video
168	return res.status(404).end()	168	return res.status(404).end()
		169	}
169	}	170	}
170	}	171	]
171	]	172	}
		173
		174	const videosGetValidator = videosCustomGetValidator('all')
172		175
173	const videosRemoveValidator = [	176	const videosRemoveValidator = [
174	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),	177	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
@@ -366,6 +369,7 @@ export {
366	videosAddValidator,	369	videosAddValidator,
367	videosUpdateValidator,	370	videosUpdateValidator,
368	videosGetValidator,	371	videosGetValidator,
		372	videosCustomGetValidator,
369	videosRemoveValidator,	373	videosRemoveValidator,
370	videosShareValidator,	374	videosShareValidator,
371		375