From 6ea9295b8f5dd7cc254202a79aad61c666cc4259 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Tue, 22 Feb 2022 14:16:34 +0100 Subject: Check video privacy when creating comments/rates --- server/middlewares/validators/videos/video-comments.ts | 16 ++++++++++++++++ server/middlewares/validators/videos/video-rates.ts | 9 ++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) (limited to 'server/middlewares/validators') diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts index 91ae31ec2..91e85711d 100644 --- a/server/middlewares/validators/videos/video-comments.ts +++ b/server/middlewares/validators/videos/video-comments.ts @@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [ if (areValidationErrors(req, res)) return if (!await doesVideoExist(req.params.videoId, res)) return + + if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) { + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Cannot access to this ressource' + }) + } + if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return @@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [ if (areValidationErrors(req, res)) return if (!await doesVideoExist(req.params.videoId, res)) return + + if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) { + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Cannot access to this ressource' + }) + } + if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts index 6e0bb0ad1..923bf3eaf 100644 --- a/server/middlewares/validators/videos/video-rates.ts +++ b/server/middlewares/validators/videos/video-rates.ts @@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates' import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos' import { logger } from '../../../helpers/logger' import { AccountVideoRateModel } from '../../../models/account/account-video-rate' -import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared' +import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared' const videoUpdateRateValidator = [ isValidVideoIdParam('id'), @@ -21,6 +21,13 @@ const videoUpdateRateValidator = [ if (areValidationErrors(req, res)) return if (!await doesVideoExist(req.params.id, res)) return + if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) { + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Cannot access to this ressource' + }) + } + return next() } ] -- cgit v1.2.3