aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/validators/videos.ts33
1 files changed, 21 insertions, 12 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index 203a00876..77d601a4d 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -35,6 +35,8 @@ import { VideoShareModel } from '../../models/video/video-share'
35import { authenticate } from '../oauth' 35import { authenticate } from '../oauth'
36import { areValidationErrors } from './utils' 36import { areValidationErrors } from './utils'
37import { cleanUpReqFiles } from '../../helpers/utils' 37import { cleanUpReqFiles } from '../../helpers/utils'
38import { VideoModel } from '../../models/video/video'
39import { UserModel } from '../../models/account/user'
38 40
39const videosAddValidator = getCommonVideoAttributes().concat([ 41const videosAddValidator = getCommonVideoAttributes().concat([
40 body('videofile') 42 body('videofile')
@@ -131,7 +133,25 @@ const videosGetValidator = [
131 if (areValidationErrors(req, res)) return 133 if (areValidationErrors(req, res)) return
132 if (!await isVideoExist(req.params.id, res)) return 134 if (!await isVideoExist(req.params.id, res)) return
133 135
134 const video = res.locals.video 136 const video: VideoModel = res.locals.video
137
138 // Video private or blacklisted
139 if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) {
140 authenticate(req, res, () => {
141 const user: UserModel = res.locals.oauth.token.User
142
143 // Only the owner or a user that have blacklist rights can see the video
144 if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) {
145 return res.status(403)
146 .json({ error: 'Cannot get this private or blacklisted video.' })
147 .end()
148 }
149
150 return next()
151 })
152
153 return
154 }
135 155
136 // Video is public, anyone can access it 156 // Video is public, anyone can access it
137 if (video.privacy === VideoPrivacy.PUBLIC) return next() 157 if (video.privacy === VideoPrivacy.PUBLIC) return next()
@@ -143,17 +163,6 @@ const videosGetValidator = [
143 // Don't leak this unlisted video 163 // Don't leak this unlisted video
144 return res.status(404).end() 164 return res.status(404).end()
145 } 165 }
146
147 // Video is private, check the user
148 authenticate(req, res, () => {
149 if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
150 return res.status(403)
151 .json({ error: 'Cannot get this private video of another user' })
152 .end()
153 }
154
155 return next()
156 })
157 } 166 }
158] 167]
159 168