diff options
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/validators/videos.ts | 16 |
1 files changed, 6 insertions, 10 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index 249da668d..519e3d46c 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts | |||
@@ -109,8 +109,6 @@ function videosRemoveValidator (req: express.Request, res: express.Response, nex | |||
109 | 109 | ||
110 | checkErrors(req, res, () => { | 110 | checkErrors(req, res, () => { |
111 | checkVideoExists(req.params.id, res, () => { | 111 | checkVideoExists(req.params.id, res, () => { |
112 | // We need to make additional checks | ||
113 | |||
114 | // Check if the user who did the request is able to delete the video | 112 | // Check if the user who did the request is able to delete the video |
115 | checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, () => { | 113 | checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, () => { |
116 | next() | 114 | next() |
@@ -205,17 +203,15 @@ function checkUserCanDeleteVideo (userId: number, res: express.Response, callbac | |||
205 | // Retrieve the user who did the request | 203 | // Retrieve the user who did the request |
206 | db.User.loadById(userId) | 204 | db.User.loadById(userId) |
207 | .then(user => { | 205 | .then(user => { |
206 | if (res.locals.video.isOwned() === false) { | ||
207 | return res.status(403).send('Cannot remove video of another pod, blacklist it') | ||
208 | } | ||
209 | |||
208 | // Check if the user can delete the video | 210 | // Check if the user can delete the video |
209 | // The user can delete it if s/he is an admin | 211 | // The user can delete it if s/he is an admin |
210 | // Or if s/he is the video's author | 212 | // Or if s/he is the video's author |
211 | if (user.isAdmin() === false) { | 213 | if (user.isAdmin() === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { |
212 | if (res.locals.video.isOwned() === false) { | 214 | return res.status(403).send('Cannot remove video of another user') |
213 | return res.status(403).send('Cannot remove video of another pod') | ||
214 | } | ||
215 | |||
216 | if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { | ||
217 | return res.status(403).send('Cannot remove video of another user') | ||
218 | } | ||
219 | } | 215 | } |
220 | 216 | ||
221 | // If we reach this comment, we can delete the video | 217 | // If we reach this comment, we can delete the video |