aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/validators/videos.ts16
1 files changed, 6 insertions, 10 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index 249da668d..519e3d46c 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -109,8 +109,6 @@ function videosRemoveValidator (req: express.Request, res: express.Response, nex
109 109
110 checkErrors(req, res, () => { 110 checkErrors(req, res, () => {
111 checkVideoExists(req.params.id, res, () => { 111 checkVideoExists(req.params.id, res, () => {
112 // We need to make additional checks
113
114 // Check if the user who did the request is able to delete the video 112 // Check if the user who did the request is able to delete the video
115 checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, () => { 113 checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, () => {
116 next() 114 next()
@@ -205,17 +203,15 @@ function checkUserCanDeleteVideo (userId: number, res: express.Response, callbac
205 // Retrieve the user who did the request 203 // Retrieve the user who did the request
206 db.User.loadById(userId) 204 db.User.loadById(userId)
207 .then(user => { 205 .then(user => {
206 if (res.locals.video.isOwned() === false) {
207 return res.status(403).send('Cannot remove video of another pod, blacklist it')
208 }
209
208 // Check if the user can delete the video 210 // Check if the user can delete the video
209 // The user can delete it if s/he is an admin 211 // The user can delete it if s/he is an admin
210 // Or if s/he is the video's author 212 // Or if s/he is the video's author
211 if (user.isAdmin() === false) { 213 if (user.isAdmin() === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
212 if (res.locals.video.isOwned() === false) { 214 return res.status(403).send('Cannot remove video of another user')
213 return res.status(403).send('Cannot remove video of another pod')
214 }
215
216 if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
217 return res.status(403).send('Cannot remove video of another user')
218 }
219 } 215 }
220 216
221 // If we reach this comment, we can delete the video 217 // If we reach this comment, we can delete the video