aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/validators/videos/videos.ts9
1 files changed, 3 insertions, 6 deletions
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index ab984d84a..5e0182cc3 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -161,18 +161,15 @@ const videosCustomGetValidator = (fetchType: 'all' | 'only-video' | 'only-video-
161 const videoAll = video as MVideoFullLight 161 const videoAll = video as MVideoFullLight
162 162
163 // Video private or blacklisted 163 // Video private or blacklisted
164 if (video.privacy === VideoPrivacy.PRIVATE || videoAll.VideoBlacklist) { 164 if (videoAll.requiresAuth()) {
165 await authenticatePromiseIfNeeded(req, res, authenticateInQuery) 165 await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
166 166
167 const user = res.locals.oauth ? res.locals.oauth.token.User : null 167 const user = res.locals.oauth ? res.locals.oauth.token.User : null
168 168
169 // Only the owner or a user that have blacklist rights can see the video 169 // Only the owner or a user that have blacklist rights can see the video
170 if ( 170 if (!user || !user.canGetVideo(videoAll)) {
171 !user ||
172 (videoAll.VideoChannel && videoAll.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST))
173 ) {
174 return res.status(403) 171 return res.status(403)
175 .json({ error: 'Cannot get this private or blacklisted video.' }) 172 .json({ error: 'Cannot get this private/internal or blacklisted video.' })
176 } 173 }
177 174
178 return next() 175 return next()