1 files changed, 53 insertions, 10 deletions
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index c07825e50..86a7e39ae 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -15,7 +15,9 @@ const validatorsVideos = {
  videoAbuseReport,
-  videoRate
+  videoRate,
+  videosBlacklist
 }
 function videosAdd (req, res, next) {
@@ -95,15 +97,10 @@ function videosRemove (req, res, next) {
    checkVideoExists(req.params.id, res, function () {
      // We need to make additional checks
-      if (res.locals.video.isOwned() === false) {
+      // Check if the user who did the request is able to delete the video
-        return res.status(403).send('Cannot remove video of another pod')
+      checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, function () {
-      }
+        next()
+      })
-      if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
-        return res.status(403).send('Cannot remove video of another user')
-      }
-      next()
    })
  })
 }
@@ -159,3 +156,49 @@ function checkVideoExists (id, res, callback) {
    callback()
  })
 }
+function checkUserCanDeleteVideo (userId, res, callback) {
+  // Retrieve the user who did the request
+  db.User.loadById(userId, function (err, user) {
+    if (err) {
+      logger.error('Error in video request validator.', { error: err })
+      return res.sendStatus(500)
+    }
+    // Check if the user can delete the video
+    //  The user can delete it if s/he an admin
+    //  Or if s/he is the video's author
+    if (user.isAdmin() === false) {
+      if (res.locals.video.isOwned() === false) {
+        return res.status(403).send('Cannot remove video of another pod')
+      }
+      if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
+        return res.status(403).send('Cannot remove video of another user')
+      }
+    }
+    // If we reach this comment, we can delete the video
+    callback()
+  })
+}
+function checkVideoIsBlacklistable (req, res, callback) {
+  if (res.locals.video.isOwned() === true) {
+        return res.status(403).send('Cannot blacklist a local video')
+  }
+  callback()
+}
+function videosBlacklist (req, res, next) {
+  req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
+  logger.debug('Checking videosBlacklist parameters', { parameters: req.params })
+  checkErrors(req, res, function () {
+    checkVideoExists(req.params.id, res, function() {
+      checkVideoIsBlacklistable(req, res, next)
+    })
+  })
+}

diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js index c07825e50..86a7e39ae 100644 --- a/server/middlewares/validators/videos.js +++ b/server/middlewares/validators/videos.js
@@ -15,7 +15,9 @@ const validatorsVideos = {
15		15
16	videoAbuseReport,	16	videoAbuseReport,
17		17
18	videoRate	18	videoRate,
		19
		20	videosBlacklist
19	}	21	}
20		22
21	function videosAdd (req, res, next) {	23	function videosAdd (req, res, next) {
@@ -95,15 +97,10 @@ function videosRemove (req, res, next) {
95	checkVideoExists(req.params.id, res, function () {	97	checkVideoExists(req.params.id, res, function () {
96	// We need to make additional checks	98	// We need to make additional checks
97		99
98	if (res.locals.video.isOwned() === false) {	100	// Check if the user who did the request is able to delete the video
99	return res.status(403).send('Cannot remove video of another pod')	101	checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, function () {
100	}	102	next()
101		103	})
102	if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
103	return res.status(403).send('Cannot remove video of another user')
104	}
105
106	next()
107	})	104	})
108	})	105	})
109	}	106	}
@@ -159,3 +156,49 @@ function checkVideoExists (id, res, callback) {
159	callback()	156	callback()
160	})	157	})
161	}	158	}
		159
		160	function checkUserCanDeleteVideo (userId, res, callback) {
		161	// Retrieve the user who did the request
		162	db.User.loadById(userId, function (err, user) {
		163	if (err) {
		164	logger.error('Error in video request validator.', { error: err })
		165	return res.sendStatus(500)
		166	}
		167
		168	// Check if the user can delete the video
		169	// The user can delete it if s/he an admin
		170	// Or if s/he is the video's author
		171	if (user.isAdmin() === false) {
		172	if (res.locals.video.isOwned() === false) {
		173	return res.status(403).send('Cannot remove video of another pod')
		174	}
		175
		176	if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
		177	return res.status(403).send('Cannot remove video of another user')
		178	}
		179	}
		180
		181	// If we reach this comment, we can delete the video
		182	callback()
		183	})
		184	}
		185
		186	function checkVideoIsBlacklistable (req, res, callback) {
		187	if (res.locals.video.isOwned() === true) {
		188	return res.status(403).send('Cannot blacklist a local video')
		189	}
		190
		191	callback()
		192	}
		193
		194	function videosBlacklist (req, res, next) {
		195	req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
		196
		197	logger.debug('Checking videosBlacklist parameters', { parameters: req.params })
		198
		199	checkErrors(req, res, function () {
		200	checkVideoExists(req.params.id, res, function() {
		201	checkVideoIsBlacklistable(req, res, next)
		202	})
		203	})
		204	}