diff options
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/validators/videos/videos.ts | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts index ab984d84a..5e0182cc3 100644 --- a/server/middlewares/validators/videos/videos.ts +++ b/server/middlewares/validators/videos/videos.ts | |||
@@ -161,18 +161,15 @@ const videosCustomGetValidator = (fetchType: 'all' | 'only-video' | 'only-video- | |||
161 | const videoAll = video as MVideoFullLight | 161 | const videoAll = video as MVideoFullLight |
162 | 162 | ||
163 | // Video private or blacklisted | 163 | // Video private or blacklisted |
164 | if (video.privacy === VideoPrivacy.PRIVATE || videoAll.VideoBlacklist) { | 164 | if (videoAll.requiresAuth()) { |
165 | await authenticatePromiseIfNeeded(req, res, authenticateInQuery) | 165 | await authenticatePromiseIfNeeded(req, res, authenticateInQuery) |
166 | 166 | ||
167 | const user = res.locals.oauth ? res.locals.oauth.token.User : null | 167 | const user = res.locals.oauth ? res.locals.oauth.token.User : null |
168 | 168 | ||
169 | // Only the owner or a user that have blacklist rights can see the video | 169 | // Only the owner or a user that have blacklist rights can see the video |
170 | if ( | 170 | if (!user || !user.canGetVideo(videoAll)) { |
171 | !user || | ||
172 | (videoAll.VideoChannel && videoAll.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) | ||
173 | ) { | ||
174 | return res.status(403) | 171 | return res.status(403) |
175 | .json({ error: 'Cannot get this private or blacklisted video.' }) | 172 | .json({ error: 'Cannot get this private/internal or blacklisted video.' }) |
176 | } | 173 | } |
177 | 174 | ||
178 | return next() | 175 | return next() |