aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/validators/shared/videos.ts33
-rw-r--r--server/middlewares/validators/videos/video-captions.ts22
-rw-r--r--server/middlewares/validators/videos/video-imports.ts18
-rw-r--r--server/middlewares/validators/videos/videos.ts19
4 files changed, 73 insertions, 19 deletions
diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts
index 71b81654f..fc978b63a 100644
--- a/server/middlewares/validators/shared/videos.ts
+++ b/server/middlewares/validators/shared/videos.ts
@@ -1,16 +1,20 @@
1import { Response } from 'express' 1import { Request, Response } from 'express'
2import { loadVideo, VideoLoadType } from '@server/lib/model-loaders' 2import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
3import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'
4import { VideoModel } from '@server/models/video/video'
3import { VideoChannelModel } from '@server/models/video/video-channel' 5import { VideoChannelModel } from '@server/models/video/video-channel'
4import { VideoFileModel } from '@server/models/video/video-file' 6import { VideoFileModel } from '@server/models/video/video-file'
5import { 7import {
6 MUser, 8 MUser,
7 MUserAccountId, 9 MUserAccountId,
10 MVideo,
8 MVideoAccountLight, 11 MVideoAccountLight,
9 MVideoFormattableDetails, 12 MVideoFormattableDetails,
10 MVideoFullLight, 13 MVideoFullLight,
11 MVideoId, 14 MVideoId,
12 MVideoImmutable, 15 MVideoImmutable,
13 MVideoThumbnail 16 MVideoThumbnail,
17 MVideoWithRights
14} from '@server/types/models' 18} from '@server/types/models'
15import { HttpStatusCode, UserRight } from '@shared/models' 19import { HttpStatusCode, UserRight } from '@shared/models'
16 20
@@ -89,6 +93,27 @@ async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAcc
89 return true 93 return true
90} 94}
91 95
96async function checkCanSeeVideoIfPrivate (req: Request, res: Response, video: MVideo, authenticateInQuery = false) {
97 if (!video.requiresAuth()) return true
98
99 const videoWithRights = await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id)
100
101 return checkCanSeePrivateVideo(req, res, videoWithRights, authenticateInQuery)
102}
103
104async function checkCanSeePrivateVideo (req: Request, res: Response, video: MVideoWithRights, authenticateInQuery = false) {
105 await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
106
107 const user = res.locals.oauth ? res.locals.oauth.token.User : null
108
109 // Only the owner or a user that have blocklist rights can see the video
110 if (!user || !user.canGetVideo(video)) {
111 return false
112 }
113
114 return true
115}
116
92function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) { 117function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
93 // Retrieve the user who did the request 118 // Retrieve the user who did the request
94 if (onlyOwned && video.isOwned() === false) { 119 if (onlyOwned && video.isOwned() === false) {
@@ -120,5 +145,7 @@ export {
120 doesVideoChannelOfAccountExist, 145 doesVideoChannelOfAccountExist,
121 doesVideoExist, 146 doesVideoExist,
122 doesVideoFileOfVideoExist, 147 doesVideoFileOfVideoExist,
123 checkUserCanManageVideo 148 checkUserCanManageVideo,
149 checkCanSeeVideoIfPrivate,
150 checkCanSeePrivateVideo
124} 151}
diff --git a/server/middlewares/validators/videos/video-captions.ts b/server/middlewares/validators/videos/video-captions.ts
index 47c491b4c..a399871e1 100644
--- a/server/middlewares/validators/videos/video-captions.ts
+++ b/server/middlewares/validators/videos/video-captions.ts
@@ -1,11 +1,18 @@
1import express from 'express' 1import express from 'express'
2import { body, param } from 'express-validator' 2import { body, param } from 'express-validator'
3import { UserRight } from '@shared/models' 3import { HttpStatusCode, UserRight } from '@shared/models'
4import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions' 4import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions'
5import { cleanUpReqFiles } from '../../../helpers/express-utils' 5import { cleanUpReqFiles } from '../../../helpers/express-utils'
6import { logger } from '../../../helpers/logger' 6import { logger } from '../../../helpers/logger'
7import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants' 7import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants'
8import { areValidationErrors, checkUserCanManageVideo, doesVideoCaptionExist, doesVideoExist, isValidVideoIdParam } from '../shared' 8import {
9 areValidationErrors,
10 checkCanSeeVideoIfPrivate,
11 checkUserCanManageVideo,
12 doesVideoCaptionExist,
13 doesVideoExist,
14 isValidVideoIdParam
15} from '../shared'
9 16
10const addVideoCaptionValidator = [ 17const addVideoCaptionValidator = [
11 isValidVideoIdParam('videoId'), 18 isValidVideoIdParam('videoId'),
@@ -64,7 +71,16 @@ const listVideoCaptionsValidator = [
64 logger.debug('Checking listVideoCaptions parameters', { parameters: req.params }) 71 logger.debug('Checking listVideoCaptions parameters', { parameters: req.params })
65 72
66 if (areValidationErrors(req, res)) return 73 if (areValidationErrors(req, res)) return
67 if (!await doesVideoExist(req.params.videoId, res, 'id')) return 74 if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
75
76 const video = res.locals.onlyVideo
77
78 if (!await checkCanSeeVideoIfPrivate(req, res, video)) {
79 return res.fail({
80 status: HttpStatusCode.FORBIDDEN_403,
81 message: 'Cannot list captions of private/internal/blocklisted video'
82 })
83 }
68 84
69 return next() 85 return next()
70 } 86 }
diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts
index 640139c73..e4b54283f 100644
--- a/server/middlewares/validators/videos/video-imports.ts
+++ b/server/middlewares/validators/videos/video-imports.ts
@@ -13,6 +13,7 @@ import { CONFIG } from '../../../initializers/config'
13import { CONSTRAINTS_FIELDS } from '../../../initializers/constants' 13import { CONSTRAINTS_FIELDS } from '../../../initializers/constants'
14import { areValidationErrors, doesVideoChannelOfAccountExist } from '../shared' 14import { areValidationErrors, doesVideoChannelOfAccountExist } from '../shared'
15import { getCommonVideoEditAttributes } from './videos' 15import { getCommonVideoEditAttributes } from './videos'
16import { isValid as isIPValid, parse as parseIP } from 'ipaddr.js'
16 17
17const videoImportAddValidator = getCommonVideoEditAttributes().concat([ 18const videoImportAddValidator = getCommonVideoEditAttributes().concat([
18 body('channelId') 19 body('channelId')
@@ -71,6 +72,23 @@ const videoImportAddValidator = getCommonVideoEditAttributes().concat([
71 return res.fail({ message: 'Should have a magnetUri or a targetUrl or a torrent file.' }) 72 return res.fail({ message: 'Should have a magnetUri or a targetUrl or a torrent file.' })
72 } 73 }
73 74
75 if (req.body.targetUrl) {
76 const hostname = new URL(req.body.targetUrl).hostname
77
78 if (isIPValid(hostname)) {
79 const parsed = parseIP(hostname)
80
81 if (parsed.range() !== 'unicast') {
82 cleanUpReqFiles(req)
83
84 return res.fail({
85 status: HttpStatusCode.FORBIDDEN_403,
86 message: 'Cannot use non unicast IP as targetUrl.'
87 })
88 }
89 }
90 }
91
74 if (!await isImportAccepted(req, res)) return cleanUpReqFiles(req) 92 if (!await isImportAccepted(req, res)) return cleanUpReqFiles(req)
75 93
76 return next() 94 return next()
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index bf5f1c97b..3a1a905f3 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -49,9 +49,9 @@ import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants'
49import { isLocalVideoAccepted } from '../../../lib/moderation' 49import { isLocalVideoAccepted } from '../../../lib/moderation'
50import { Hooks } from '../../../lib/plugins/hooks' 50import { Hooks } from '../../../lib/plugins/hooks'
51import { VideoModel } from '../../../models/video/video' 51import { VideoModel } from '../../../models/video/video'
52import { authenticatePromiseIfNeeded } from '../../auth'
53import { 52import {
54 areValidationErrors, 53 areValidationErrors,
54 checkCanSeePrivateVideo,
55 checkUserCanManageVideo, 55 checkUserCanManageVideo,
56 doesVideoChannelOfAccountExist, 56 doesVideoChannelOfAccountExist,
57 doesVideoExist, 57 doesVideoExist,
@@ -315,19 +315,12 @@ const videosCustomGetValidator = (
315 315
316 // Video private or blacklisted 316 // Video private or blacklisted
317 if (video.requiresAuth()) { 317 if (video.requiresAuth()) {
318 await authenticatePromiseIfNeeded(req, res, authenticateInQuery) 318 if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) return next()
319 319
320 const user = res.locals.oauth ? res.locals.oauth.token.User : null 320 return res.fail({
321 321 status: HttpStatusCode.FORBIDDEN_403,
322 // Only the owner or a user that have blocklist rights can see the video 322 message: 'Cannot get this private/internal or blocklisted video'
323 if (!user || !user.canGetVideo(video)) { 323 })
324 return res.fail({
325 status: HttpStatusCode.FORBIDDEN_403,
326 message: 'Cannot get this private/internal or blocklisted video'
327 })
328 }
329
330 return next()
331 } 324 }
332 325
333 // Video is public, anyone can access it 326 // Video is public, anyone can access it