aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/validators/videos/videos.ts9
1 files changed, 4 insertions, 5 deletions
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index be05b2a69..d51c86972 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -3,7 +3,7 @@ import { body, param, query, ValidationChain } from 'express-validator'
3import { isAbleToUploadVideo } from '@server/lib/user' 3import { isAbleToUploadVideo } from '@server/lib/user'
4import { getServerActor } from '@server/models/application/application' 4import { getServerActor } from '@server/models/application/application'
5import { ExpressPromiseHandler } from '@server/types/express' 5import { ExpressPromiseHandler } from '@server/types/express'
6import { MVideoFullLight } from '@server/types/models' 6import { MVideoFullLight, MVideoWithRights } from '@server/types/models'
7import { ServerErrorCode, UserRight, VideoChangeOwnershipStatus, VideoPrivacy } from '../../../../shared' 7import { ServerErrorCode, UserRight, VideoChangeOwnershipStatus, VideoPrivacy } from '../../../../shared'
8import { HttpStatusCode } from '../../../../shared/core-utils/miscs/http-error-codes' 8import { HttpStatusCode } from '../../../../shared/core-utils/miscs/http-error-codes'
9import { VideoChangeOwnershipAccept } from '../../../../shared/models/videos/video-change-ownership-accept.model' 9import { VideoChangeOwnershipAccept } from '../../../../shared/models/videos/video-change-ownership-accept.model'
@@ -197,17 +197,16 @@ const videosCustomGetValidator = (
197 // Controllers does not need to check video rights 197 // Controllers does not need to check video rights
198 if (fetchType === 'only-immutable-attributes') return next() 198 if (fetchType === 'only-immutable-attributes') return next()
199 199
200 const video = getVideoWithAttributes(res) 200 const video = getVideoWithAttributes(res) as MVideoWithRights
201 const videoAll = video as MVideoFullLight
202 201
203 // Video private or blacklisted 202 // Video private or blacklisted
204 if (videoAll.requiresAuth()) { 203 if (video.requiresAuth()) {
205 await authenticatePromiseIfNeeded(req, res, authenticateInQuery) 204 await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
206 205
207 const user = res.locals.oauth ? res.locals.oauth.token.User : null 206 const user = res.locals.oauth ? res.locals.oauth.token.User : null
208 207
209 // Only the owner or a user that have blacklist rights can see the video 208 // Only the owner or a user that have blacklist rights can see the video
210 if (!user || !user.canGetVideo(videoAll)) { 209 if (!user || !user.canGetVideo(video)) {
211 return res.status(HttpStatusCode.FORBIDDEN_403) 210 return res.status(HttpStatusCode.FORBIDDEN_403)
212 .json({ error: 'Cannot get this private/internal or blacklisted video.' }) 211 .json({ error: 'Cannot get this private/internal or blacklisted video.' })
213 } 212 }