aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/validators/videos.ts20
1 files changed, 5 insertions, 15 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index e91739f81..1dc8429c8 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -130,18 +130,8 @@ const videosUpdateValidator = [
130 130
131 const video = res.locals.video 131 const video = res.locals.video
132 132
133 // We need to make additional checks 133 // Check if the user who did the request is able to update the video
134 if (video.isOwned() === false) { 134 if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.UPDATE_ANY_VIDEO, res)) return
135 return res.status(403)
136 .json({ error: 'Cannot update video of another server' })
137 .end()
138 }
139
140 if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
141 return res.status(403)
142 .json({ error: 'Cannot update video of another user' })
143 .end()
144 }
145 135
146 if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) { 136 if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) {
147 return res.status(409) 137 return res.status(409)
@@ -198,7 +188,7 @@ const videosRemoveValidator = [
198 if (!await isVideoExist(req.params.id, res)) return 188 if (!await isVideoExist(req.params.id, res)) return
199 189
200 // Check if the user who did the request is able to delete the video 190 // Check if the user who did the request is able to delete the video
201 if (!checkUserCanDeleteVideo(res.locals.oauth.token.User, res.locals.video, res)) return 191 if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.REMOVE_ANY_VIDEO, res)) return
202 192
203 return next() 193 return next()
204 } 194 }
@@ -282,7 +272,7 @@ export {
282 272
283// --------------------------------------------------------------------------- 273// ---------------------------------------------------------------------------
284 274
285function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: express.Response) { 275function checkUserCanManageVideo (user: UserModel, video: VideoModel, right: UserRight, res: express.Response) {
286 // Retrieve the user who did the request 276 // Retrieve the user who did the request
287 if (video.isOwned() === false) { 277 if (video.isOwned() === false) {
288 res.status(403) 278 res.status(403)
@@ -295,7 +285,7 @@ function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: expre
295 // The user can delete it if he has the right 285 // The user can delete it if he has the right
296 // Or if s/he is the video's account 286 // Or if s/he is the video's account
297 const account = video.VideoChannel.Account 287 const account = video.VideoChannel.Account
298 if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) { 288 if (user.hasRight(right) === false && account.userId !== user.id) {
299 res.status(403) 289 res.status(403)
300 .json({ error: 'Cannot remove video of another user' }) 290 .json({ error: 'Cannot remove video of another user' })
301 .end() 291 .end()