From 58b2ba55a90f05f24661e664b1fb0a3486f037e8 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Fri, 5 Aug 2016 21:41:28 +0200 Subject: Server: do not allow a user to remove a video of another user --- client/tsconfig.json | 2 -- server/middlewares/validators/videos.js | 1 + server/tests/api/checkParams.js | 2 ++ 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/client/tsconfig.json b/client/tsconfig.json index e2d61851e..b10231b7b 100644 --- a/client/tsconfig.json +++ b/client/tsconfig.json @@ -49,8 +49,6 @@ "src/app/shared/search/search.component.ts", "src/app/shared/search/search.model.ts", "src/app/shared/search/search.service.ts", - "src/app/shared/user/index.ts", - "src/app/shared/user/user.service.ts", "src/app/videos/index.ts", "src/app/videos/shared/index.ts", "src/app/videos/shared/loader/index.ts", diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js index 9d21ee16f..e51087d5a 100644 --- a/server/middlewares/validators/videos.js +++ b/server/middlewares/validators/videos.js @@ -77,6 +77,7 @@ function videosRemove (req, res, next) { if (!video) return res.status(404).send('Video not found') else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod') + else if (video.author !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user') next() }) diff --git a/server/tests/api/checkParams.js b/server/tests/api/checkParams.js index 8b49f5f36..e489df277 100644 --- a/server/tests/api/checkParams.js +++ b/server/tests/api/checkParams.js @@ -496,6 +496,8 @@ describe('Test parameters validator', function () { .expect(404, done) }) + it('Should fail with a video of another user') + it('Should fail with a video of another pod') it('Should succeed with the correct parameters') -- cgit v1.2.3