diff options
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/validators/videos.ts | 20 |
1 files changed, 5 insertions, 15 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index e91739f81..1dc8429c8 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts | |||
@@ -130,18 +130,8 @@ const videosUpdateValidator = [ | |||
130 | 130 | ||
131 | const video = res.locals.video | 131 | const video = res.locals.video |
132 | 132 | ||
133 | // We need to make additional checks | 133 | // Check if the user who did the request is able to update the video |
134 | if (video.isOwned() === false) { | 134 | if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.UPDATE_ANY_VIDEO, res)) return |
135 | return res.status(403) | ||
136 | .json({ error: 'Cannot update video of another server' }) | ||
137 | .end() | ||
138 | } | ||
139 | |||
140 | if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) { | ||
141 | return res.status(403) | ||
142 | .json({ error: 'Cannot update video of another user' }) | ||
143 | .end() | ||
144 | } | ||
145 | 135 | ||
146 | if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) { | 136 | if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) { |
147 | return res.status(409) | 137 | return res.status(409) |
@@ -198,7 +188,7 @@ const videosRemoveValidator = [ | |||
198 | if (!await isVideoExist(req.params.id, res)) return | 188 | if (!await isVideoExist(req.params.id, res)) return |
199 | 189 | ||
200 | // Check if the user who did the request is able to delete the video | 190 | // Check if the user who did the request is able to delete the video |
201 | if (!checkUserCanDeleteVideo(res.locals.oauth.token.User, res.locals.video, res)) return | 191 | if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.REMOVE_ANY_VIDEO, res)) return |
202 | 192 | ||
203 | return next() | 193 | return next() |
204 | } | 194 | } |
@@ -282,7 +272,7 @@ export { | |||
282 | 272 | ||
283 | // --------------------------------------------------------------------------- | 273 | // --------------------------------------------------------------------------- |
284 | 274 | ||
285 | function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: express.Response) { | 275 | function checkUserCanManageVideo (user: UserModel, video: VideoModel, right: UserRight, res: express.Response) { |
286 | // Retrieve the user who did the request | 276 | // Retrieve the user who did the request |
287 | if (video.isOwned() === false) { | 277 | if (video.isOwned() === false) { |
288 | res.status(403) | 278 | res.status(403) |
@@ -295,7 +285,7 @@ function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: expre | |||
295 | // The user can delete it if he has the right | 285 | // The user can delete it if he has the right |
296 | // Or if s/he is the video's account | 286 | // Or if s/he is the video's account |
297 | const account = video.VideoChannel.Account | 287 | const account = video.VideoChannel.Account |
298 | if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) { | 288 | if (user.hasRight(right) === false && account.userId !== user.id) { |
299 | res.status(403) | 289 | res.status(403) |
300 | .json({ error: 'Cannot remove video of another user' }) | 290 | .json({ error: 'Cannot remove video of another user' }) |
301 | .end() | 291 | .end() |