15 files changed, 172 insertions, 66 deletions

diff --git a/server/middlewares/auth.ts b/server/middlewares/auth.ts
index c5424be97..ad3b24ab2 100644
--- a/server/middlewares/auth.ts
+++ b/server/middlewares/auth.ts
@@ -47,7 +47,7 @@ function authenticateSocket (socket: Socket, next: (err?: any) => void) {
     .catch(err => logger.error('Cannot get access token.', { err }))
 }
 
-function authenticatePromiseIfNeeded (req: express.Request, res: express.Response, authenticateInQuery = false) {
+function authenticatePromise (req: express.Request, res: express.Response, authenticateInQuery = false) {
   return new Promise<void>(resolve => {
     // Already authenticated? (or tried to)
     if (res.locals.oauth?.token.User) return resolve()
@@ -76,6 +76,6 @@ function optionalAuthenticate (req: express.Request, res: express.Response, next
 export {
   authenticate,
   authenticateSocket,
-  authenticatePromiseIfNeeded,
+  authenticatePromise,
   optionalAuthenticate
 }
diff --git a/server/middlewares/index.ts b/server/middlewares/index.ts
index d2ed079b6..b40f864ce 100644
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -4,6 +4,7 @@ export * from './activitypub'
 export * from './async'
 export * from './auth'
 export * from './pagination'
+export * from './rate-limiter'
 export * from './robots'
 export * from './servers'
 export * from './sort'
diff --git a/server/middlewares/rate-limiter.ts b/server/middlewares/rate-limiter.ts
new file mode 100644
index 000000000..bc9513969
--- /dev/null
+++ b/server/middlewares/rate-limiter.ts
@@ -0,0 +1,31 @@
+import { UserRole } from '@shared/models'
+import RateLimit from 'express-rate-limit'
+import { optionalAuthenticate } from './auth'
+
+const whitelistRoles = new Set([ UserRole.ADMINISTRATOR, UserRole.MODERATOR ])
+
+function buildRateLimiter (options: {
+  windowMs: number
+  max: number
+  skipFailedRequests?: boolean
+}) {
+  return RateLimit({
+    windowMs: options.windowMs,
+    max: options.max,
+    skipFailedRequests: options.skipFailedRequests,
+
+    handler: (req, res, next, options) => {
+      return optionalAuthenticate(req, res, () => {
+        if (res.locals.authenticated === true && whitelistRoles.has(res.locals.oauth.token.User.role)) {
+          return next()
+        }
+
+        return res.status(options.statusCode).send(options.message)
+      })
+    }
+  })
+}
+
+export {
+  buildRateLimiter
+}
diff --git a/server/middlewares/validators/feeds.ts b/server/middlewares/validators/feeds.ts
index f8ebaf6ed..04b4e00c9 100644
--- a/server/middlewares/validators/feeds.ts
+++ b/server/middlewares/validators/feeds.ts
@@ -6,6 +6,7 @@ import { exists, isIdOrUUIDValid, isIdValid, toCompleteUUID } from '../../helper
 import { logger } from '../../helpers/logger'
 import {
   areValidationErrors,
+  checkCanSeeVideo,
   doesAccountIdExist,
   doesAccountNameWithHostExist,
   doesUserFeedTokenCorrespond,
@@ -112,7 +113,10 @@ const videoCommentsFeedsValidator = [
       return res.fail({ message: 'videoId cannot be mixed with a channel filter' })
     }
 
-    if (req.query.videoId && !await doesVideoExist(req.query.videoId, res)) return
+    if (req.query.videoId) {
+      if (!await doesVideoExist(req.query.videoId, res)) return
+      if (!await checkCanSeeVideo({ req, res, paramId: req.query.videoId, video: res.locals.videoAll })) return
+    }
 
     return next()
   }
diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts
index 8807435f6..2c2ae3811 100644
--- a/server/middlewares/validators/shared/videos.ts
+++ b/server/middlewares/validators/shared/videos.ts
@@ -1,7 +1,8 @@
 import { Request, Response } from 'express'
+import { isUUIDValid } from '@server/helpers/custom-validators/misc'
 import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
 import { isAbleToUploadVideo } from '@server/lib/user'
-import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'
+import { authenticatePromise } from '@server/middlewares/auth'
 import { VideoModel } from '@server/models/video/video'
 import { VideoChannelModel } from '@server/models/video/video-channel'
 import { VideoFileModel } from '@server/models/video/video-file'
@@ -18,18 +19,19 @@ import {
   MVideoThumbnail,
   MVideoWithRights
 } from '@server/types/models'
-import { HttpStatusCode, ServerErrorCode, UserRight } from '@shared/models'
+import { HttpStatusCode, ServerErrorCode, UserRight, VideoPrivacy } from '@shared/models'
 
 async function doesVideoExist (id: number | string, res: Response, fetchType: VideoLoadType = 'all') {
   const userId = res.locals.oauth ? res.locals.oauth.token.User.id : undefined
 
   const video = await loadVideo(id, fetchType, userId)
 
-  if (video === null) {
+  if (!video) {
     res.fail({
       status: HttpStatusCode.NOT_FOUND_404,
       message: 'Video not found'
     })
+
     return false
   }
 
@@ -58,6 +60,8 @@ async function doesVideoExist (id: number | string, res: Response, fetchType: Vi
   return true
 }
 
+// ---------------------------------------------------------------------------
+
 async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number | string, res: Response) {
   if (!await VideoFileModel.doesVideoExistForVideoFile(id, videoIdOrUUID)) {
     res.fail({
@@ -70,6 +74,8 @@ async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number | st
   return true
 }
 
+// ---------------------------------------------------------------------------
+
 async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAccountId, res: Response) {
   const videoChannel = await VideoChannelModel.loadAndPopulateAccount(channelId)
 
@@ -95,32 +101,78 @@ async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAcc
   return true
 }
 
-async function checkCanSeeVideoIfPrivate (req: Request, res: Response, video: MVideo, authenticateInQuery = false) {
-  if (!video.requiresAuth()) return true
+// ---------------------------------------------------------------------------
 
-  const videoWithRights = await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id)
+async function checkCanSeeVideo (options: {
+  req: Request
+  res: Response
+  paramId: string
+  video: MVideo
+  authenticateInQuery?: boolean // default false
+}) {
+  const { req, res, video, paramId, authenticateInQuery = false } = options
+
+  if (video.requiresAuth()) {
+    return checkCanSeeAuthVideo(req, res, video, authenticateInQuery)
+  }
 
-  return checkCanSeePrivateVideo(req, res, videoWithRights, authenticateInQuery)
-}
+  if (video.privacy === VideoPrivacy.UNLISTED) {
+    if (isUUIDValid(paramId)) return true
 
-async function checkCanSeePrivateVideo (req: Request, res: Response, video: MVideoWithRights, authenticateInQuery = false) {
-  await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
+    return checkCanSeeAuthVideo(req, res, video, authenticateInQuery)
+  }
+
+  if (video.privacy === VideoPrivacy.PUBLIC) return true
 
-  const user = res.locals.oauth ? res.locals.oauth.token.User : null
+  throw new Error('Fatal error when checking video right ' + video.url)
+}
 
-  // Only the owner or a user that have blocklist rights can see the video
-  if (!user || !user.canGetVideo(video)) {
+async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoId | MVideoWithRights, authenticateInQuery = false) {
+  const fail = () => {
     res.fail({
       status: HttpStatusCode.FORBIDDEN_403,
-      message: 'Cannot fetch information of private/internal/blocklisted video'
+      message: 'Cannot fetch information of private/internal/blocked video'
     })
 
     return false
   }
 
-  return true
+  await authenticatePromise(req, res, authenticateInQuery)
+
+  const user = res.locals.oauth?.token.User
+  if (!user) return fail()
+
+  const videoWithRights = (video as MVideoWithRights).VideoChannel?.Account?.userId
+    ? video as MVideoWithRights
+    : await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id)
+
+  const privacy = videoWithRights.privacy
+
+  if (privacy === VideoPrivacy.INTERNAL) {
+    // We know we have a user
+    return true
+  }
+
+  const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id
+
+  if (videoWithRights.isBlacklisted()) {
+    if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true
+
+    return fail()
+  }
+
+  if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) {
+    if (isOwnedByUser || user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true
+
+    return fail()
+  }
+
+  // Should not happen
+  return fail()
 }
 
+// ---------------------------------------------------------------------------
+
 function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
   // Retrieve the user who did the request
   if (onlyOwned && video.isOwned() === false) {
@@ -146,6 +198,8 @@ function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right:
   return true
 }
 
+// ---------------------------------------------------------------------------
+
 async function checkUserQuota (user: MUserId, videoFileSize: number, res: Response) {
   if (await isAbleToUploadVideo(user.id, videoFileSize) === false) {
     res.fail({
@@ -167,7 +221,6 @@ export {
   doesVideoFileOfVideoExist,
 
   checkUserCanManageVideo,
-  checkCanSeeVideoIfPrivate,
-  checkCanSeePrivateVideo,
+  checkCanSeeVideo,
   checkUserQuota
 }
diff --git a/server/middlewares/validators/sort.ts b/server/middlewares/validators/sort.ts
index 3ba668460..c9978e3b4 100644
--- a/server/middlewares/validators/sort.ts
+++ b/server/middlewares/validators/sort.ts
@@ -28,7 +28,7 @@ function createSortableColumns (sortableColumns: string[]) {
   return sortableColumns.concat(sortableColumnDesc)
 }
 
-const usersSortValidator = checkSortFactory(SORTABLE_COLUMNS.USERS)
+const adminUsersSortValidator = checkSortFactory(SORTABLE_COLUMNS.ADMIN_USERS)
 const accountsSortValidator = checkSortFactory(SORTABLE_COLUMNS.ACCOUNTS)
 const jobsSortValidator = checkSortFactory(SORTABLE_COLUMNS.JOBS, [ 'jobs' ])
 const abusesSortValidator = checkSortFactory(SORTABLE_COLUMNS.ABUSES)
@@ -59,7 +59,7 @@ const videoChannelsFollowersSortValidator = checkSortFactory(SORTABLE_COLUMNS.CH
 // ---------------------------------------------------------------------------
 
 export {
-  usersSortValidator,
+  adminUsersSortValidator,
   abusesSortValidator,
   videoChannelsSortValidator,
   videoImportsSortValidator,
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index bc6007c6d..6d306121e 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -486,7 +486,7 @@ const ensureAuthUserOwnsAccountValidator = [
     if (res.locals.account.id !== user.Account.id) {
       return res.fail({
         status: HttpStatusCode.FORBIDDEN_403,
-        message: 'Only owner of this account can access this ressource.'
+        message: 'Only owner of this account can access this resource.'
       })
     }
 
diff --git a/server/middlewares/validators/videos/index.ts b/server/middlewares/validators/videos/index.ts
index bd2590bc5..1dd7b5d2e 100644
--- a/server/middlewares/validators/videos/index.ts
+++ b/server/middlewares/validators/videos/index.ts
@@ -9,6 +9,7 @@ export * from './video-ownership-changes'
 export * from './video-view'
 export * from './video-rates'
 export * from './video-shares'
+export * from './video-source'
 export * from './video-stats'
 export * from './video-studio'
 export * from './video-transcoding'
diff --git a/server/middlewares/validators/videos/video-captions.ts b/server/middlewares/validators/videos/video-captions.ts
index 441c6b4be..dfb8fefc5 100644
--- a/server/middlewares/validators/videos/video-captions.ts
+++ b/server/middlewares/validators/videos/video-captions.ts
@@ -7,7 +7,7 @@ import { logger } from '../../../helpers/logger'
 import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants'
 import {
   areValidationErrors,
-  checkCanSeeVideoIfPrivate,
+  checkCanSeeVideo,
   checkUserCanManageVideo,
   doesVideoCaptionExist,
   doesVideoExist,
@@ -74,7 +74,7 @@ const listVideoCaptionsValidator = [
     if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
 
     const video = res.locals.onlyVideo
-    if (!await checkCanSeeVideoIfPrivate(req, res, video)) return
+    if (!await checkCanSeeVideo({ req, res, video, paramId: req.params.videoId })) return
 
     return next()
   }
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index 698afdbd1..b22a4e3b7 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -10,7 +10,7 @@ import { Hooks } from '../../../lib/plugins/hooks'
 import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
 import {
   areValidationErrors,
-  checkCanSeeVideoIfPrivate,
+  checkCanSeeVideo,
   doesVideoCommentExist,
   doesVideoCommentThreadExist,
   doesVideoExist,
@@ -54,7 +54,7 @@ const listVideoCommentThreadsValidator = [
     if (areValidationErrors(req, res)) return
     if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
 
-    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) return
+    if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.onlyVideo })) return
 
     return next()
   }
@@ -73,7 +73,7 @@ const listVideoThreadCommentsValidator = [
     if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
     if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return
 
-    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) return
+    if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.onlyVideo })) return
 
     return next()
   }
@@ -91,7 +91,7 @@ const addVideoCommentThreadValidator = [
     if (areValidationErrors(req, res)) return
     if (!await doesVideoExist(req.params.videoId, res)) return
 
-    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) return
+    if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.videoAll })) return
 
     if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
     if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
@@ -113,7 +113,7 @@ const addVideoCommentReplyValidator = [
     if (areValidationErrors(req, res)) return
     if (!await doesVideoExist(req.params.videoId, res)) return
 
-    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) return
+    if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.videoAll })) return
 
     if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
     if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts
index 241b9ed7b..d514ae0ad 100644
--- a/server/middlewares/validators/videos/video-playlists.ts
+++ b/server/middlewares/validators/videos/video-playlists.ts
@@ -33,7 +33,7 @@ import { logger } from '../../../helpers/logger'
 import { CONSTRAINTS_FIELDS } from '../../../initializers/constants'
 import { VideoPlaylistElementModel } from '../../../models/video/video-playlist-element'
 import { MVideoPlaylist } from '../../../types/models/video/video-playlist'
-import { authenticatePromiseIfNeeded } from '../../auth'
+import { authenticatePromise } from '../../auth'
 import {
   areValidationErrors,
   doesVideoChannelIdExist,
@@ -161,7 +161,7 @@ const videoPlaylistsGetValidator = (fetchType: VideoPlaylistFetchType) => {
       }
 
       if (videoPlaylist.privacy === VideoPlaylistPrivacy.PRIVATE) {
-        await authenticatePromiseIfNeeded(req, res)
+        await authenticatePromise(req, res)
 
         const user = res.locals.oauth ? res.locals.oauth.token.User : null
 
diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts
index 1a9736034..8b8eeedb6 100644
--- a/server/middlewares/validators/videos/video-rates.ts
+++ b/server/middlewares/validators/videos/video-rates.ts
@@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
 import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
 import { logger } from '../../../helpers/logger'
 import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
-import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared'
+import { areValidationErrors, checkCanSeeVideo, doesVideoExist, isValidVideoIdParam } from '../shared'
 
 const videoUpdateRateValidator = [
   isValidVideoIdParam('id'),
@@ -21,7 +21,7 @@ const videoUpdateRateValidator = [
     if (areValidationErrors(req, res)) return
     if (!await doesVideoExist(req.params.id, res)) return
 
-    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) return
+    if (!await checkCanSeeVideo({ req, res, paramId: req.params.id, video: res.locals.videoAll })) return
 
     return next()
   }
diff --git a/server/middlewares/validators/videos/video-source.ts b/server/middlewares/validators/videos/video-source.ts
new file mode 100644
index 000000000..31a2f16b3
--- /dev/null
+++ b/server/middlewares/validators/videos/video-source.ts
@@ -0,0 +1,37 @@
+import express from 'express'
+import { getVideoWithAttributes } from '@server/helpers/video'
+import { VideoSourceModel } from '@server/models/video/video-source'
+import { MVideoFullLight } from '@server/types/models'
+import { HttpStatusCode, UserRight } from '@shared/models'
+import { logger } from '../../../helpers/logger'
+import { areValidationErrors, checkUserCanManageVideo, doesVideoExist, isValidVideoIdParam } from '../shared'
+
+const videoSourceGetValidator = [
+  isValidVideoIdParam('id'),
+
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    logger.debug('Checking videoSourceGet parameters', { parameters: req.params })
+
+    if (areValidationErrors(req, res)) return
+    if (!await doesVideoExist(req.params.id, res, 'for-api')) return
+
+    const video = getVideoWithAttributes(res) as MVideoFullLight
+
+    res.locals.videoSource = await VideoSourceModel.loadByVideoId(video.id)
+    if (!res.locals.videoSource) {
+      return res.fail({
+        status: HttpStatusCode.NOT_FOUND_404,
+        message: 'Video source not found'
+      })
+    }
+
+    const user = res.locals.oauth.token.User
+    if (!checkUserCanManageVideo(user, video, UserRight.UPDATE_ANY_VIDEO, res)) return
+
+    return next()
+  }
+]
+
+export {
+  videoSourceGetValidator
+}
diff --git a/server/middlewares/validators/videos/video-view.ts b/server/middlewares/validators/videos/video-view.ts
index 7a4994e8a..2edcd140f 100644
--- a/server/middlewares/validators/videos/video-view.ts
+++ b/server/middlewares/validators/videos/video-view.ts
@@ -6,6 +6,7 @@ import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes'
 import { exists, isIdValid, isIntOrNull, toIntOrNull } from '../../../helpers/custom-validators/misc'
 import { logger } from '../../../helpers/logger'
 import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared'
+import { getCachedVideoDuration } from '@server/lib/video'
 
 const getVideoLocalViewerValidator = [
   param('localViewerId')
@@ -42,20 +43,18 @@ const videoViewValidator = [
     logger.debug('Checking videoView parameters', { parameters: req.body })
 
     if (areValidationErrors(req, res)) return
-    if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
+    if (!await doesVideoExist(req.params.videoId, res, 'only-immutable-attributes')) return
 
-    const video = res.locals.onlyVideo
-    const videoDuration = video.isLive
-      ? undefined
-      : video.duration
+    const video = res.locals.onlyImmutableVideo
+    const { duration } = await getCachedVideoDuration(video.id)
 
     if (!exists(req.body.currentTime)) { // TODO: remove in a few versions, introduced in 4.2
-      req.body.currentTime = Math.min(videoDuration ?? 0, 30)
+      req.body.currentTime = Math.min(duration ?? 0, 30)
     }
 
     const currentTime: number = req.body.currentTime
 
-    if (!isVideoTimeValid(currentTime, videoDuration)) {
+    if (!isVideoTimeValid(currentTime, duration)) {
       return res.fail({
         status: HttpStatusCode.BAD_REQUEST_400,
         message: 'Current time is invalid'
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index 0b6b8bfe5..c6d31f8f0 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -7,14 +7,13 @@ import { getServerActor } from '@server/models/application/application'
 import { ExpressPromiseHandler } from '@server/types/express-handler'
 import { MUserAccountId, MVideoFullLight } from '@server/types/models'
 import { getAllPrivacies } from '@shared/core-utils'
-import { HttpStatusCode, ServerErrorCode, UserRight, VideoInclude, VideoPrivacy } from '@shared/models'
+import { HttpStatusCode, ServerErrorCode, UserRight, VideoInclude } from '@shared/models'
 import {
   exists,
   isBooleanValid,
   isDateValid,
   isFileValid,
   isIdValid,
-  isUUIDValid,
   toArray,
   toBooleanOrNull,
   toIntOrNull,
@@ -50,7 +49,7 @@ import { Hooks } from '../../../lib/plugins/hooks'
 import { VideoModel } from '../../../models/video/video'
 import {
   areValidationErrors,
-  checkCanSeePrivateVideo,
+  checkCanSeeVideo,
   checkUserCanManageVideo,
   checkUserQuota,
   doesVideoChannelOfAccountExist,
@@ -152,7 +151,7 @@ const videosAddResumableValidator = [
 
     if (!await isVideoAccepted(req, res, file)) return cleanup()
 
-    res.locals.videoFileResumable = file
+    res.locals.videoFileResumable = { ...file, originalname: file.filename }
 
     return next()
   }
@@ -297,28 +296,9 @@ const videosCustomGetValidator = (
 
       const video = getVideoWithAttributes(res) as MVideoFullLight
 
-      // Video private or blacklisted
-      if (video.requiresAuth()) {
-        if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) {
-          return next()
-        }
+      if (!await checkCanSeeVideo({ req, res, video, paramId: req.params.id, authenticateInQuery })) return
 
-        return
-      }
-
-      // Video is public, anyone can access it
-      if (video.privacy === VideoPrivacy.PUBLIC) return next()
-
-      // Video is unlisted, check we used the uuid to fetch it
-      if (video.privacy === VideoPrivacy.UNLISTED) {
-        if (isUUIDValid(req.params.id)) return next()
-
-        // Don't leak this unlisted video
-        return res.fail({
-          status: HttpStatusCode.NOT_FOUND_404,
-          message: 'Video not found'
-        })
-      }
+      return next()
     }
   ]
 }