From 2c2befaacaa7063df0d4557b71c187ee168a8eb6 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Wed, 22 Jun 2022 14:03:50 +0200 Subject: Fix video right check --- server/middlewares/auth.ts | 4 ++-- server/middlewares/validators/shared/videos.ts | 13 +++++++------ server/middlewares/validators/videos/video-playlists.ts | 4 ++-- server/tests/api/videos/video-privacy.ts | 2 +- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/server/middlewares/auth.ts b/server/middlewares/auth.ts index c5424be97..ad3b24ab2 100644 --- a/server/middlewares/auth.ts +++ b/server/middlewares/auth.ts @@ -47,7 +47,7 @@ function authenticateSocket (socket: Socket, next: (err?: any) => void) { .catch(err => logger.error('Cannot get access token.', { err })) } -function authenticatePromiseIfNeeded (req: express.Request, res: express.Response, authenticateInQuery = false) { +function authenticatePromise (req: express.Request, res: express.Response, authenticateInQuery = false) { return new Promise(resolve => { // Already authenticated? (or tried to) if (res.locals.oauth?.token.User) return resolve() @@ -76,6 +76,6 @@ function optionalAuthenticate (req: express.Request, res: express.Response, next export { authenticate, authenticateSocket, - authenticatePromiseIfNeeded, + authenticatePromise, optionalAuthenticate } diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts index 39aab6df7..2c2ae3811 100644 --- a/server/middlewares/validators/shared/videos.ts +++ b/server/middlewares/validators/shared/videos.ts @@ -2,7 +2,7 @@ import { Request, Response } from 'express' import { isUUIDValid } from '@server/helpers/custom-validators/misc' import { loadVideo, VideoLoadType } from '@server/lib/model-loaders' import { isAbleToUploadVideo } from '@server/lib/user' -import { authenticatePromiseIfNeeded } from '@server/middlewares/auth' +import { authenticatePromise } from '@server/middlewares/auth' import { VideoModel } from '@server/models/video/video' import { VideoChannelModel } from '@server/models/video/video-channel' import { VideoFileModel } from '@server/models/video/video-file' @@ -137,7 +137,7 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI return false } - await authenticatePromiseIfNeeded(req, res, authenticateInQuery) + await authenticatePromise(req, res, authenticateInQuery) const user = res.locals.oauth?.token.User if (!user) return fail() @@ -154,14 +154,15 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI } const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id - if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) { - if (isOwnedByUser && user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true + + if (videoWithRights.isBlacklisted()) { + if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true return fail() } - if (videoWithRights.isBlacklisted()) { - if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true + if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) { + if (isOwnedByUser || user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true return fail() } diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts index 241b9ed7b..d514ae0ad 100644 --- a/server/middlewares/validators/videos/video-playlists.ts +++ b/server/middlewares/validators/videos/video-playlists.ts @@ -33,7 +33,7 @@ import { logger } from '../../../helpers/logger' import { CONSTRAINTS_FIELDS } from '../../../initializers/constants' import { VideoPlaylistElementModel } from '../../../models/video/video-playlist-element' import { MVideoPlaylist } from '../../../types/models/video/video-playlist' -import { authenticatePromiseIfNeeded } from '../../auth' +import { authenticatePromise } from '../../auth' import { areValidationErrors, doesVideoChannelIdExist, @@ -161,7 +161,7 @@ const videoPlaylistsGetValidator = (fetchType: VideoPlaylistFetchType) => { } if (videoPlaylist.privacy === VideoPlaylistPrivacy.PRIVATE) { - await authenticatePromiseIfNeeded(req, res) + await authenticatePromise(req, res) const user = res.locals.oauth ? res.locals.oauth.token.User : null diff --git a/server/tests/api/videos/video-privacy.ts b/server/tests/api/videos/video-privacy.ts index 3051a443d..1073aee8c 100644 --- a/server/tests/api/videos/video-privacy.ts +++ b/server/tests/api/videos/video-privacy.ts @@ -162,7 +162,7 @@ describe('Test video privacy', function () { }) it('Should not be able to get this unlisted video using its id', async function () { - await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.NOT_FOUND_404 }) + await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 }) }) it('Should be able to get this unlisted video using its uuid/shortUUID', async function () { -- cgit v1.2.3