From 84c8d9866890f479faf0168c29be5eb7816ccc8e Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Mon, 10 Jan 2022 16:07:21 +0100
Subject: Don't display comments of private/internal videos

---
 .../validators/videos/video-comments.ts            | 23 +++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

(limited to 'server/middlewares')

diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index 3ea8bdcbb..04e7b6973 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -9,7 +9,14 @@ import { logger } from '../../../helpers/logger'
 import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
 import { Hooks } from '../../../lib/plugins/hooks'
 import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
-import { areValidationErrors, doesVideoCommentExist, doesVideoCommentThreadExist, doesVideoExist, isValidVideoIdParam } from '../shared'
+import {
+  areValidationErrors,
+  checkCanSeeVideoIfPrivate,
+  doesVideoCommentExist,
+  doesVideoCommentThreadExist,
+  doesVideoExist,
+  isValidVideoIdParam
+} from '../shared'
 
 const listVideoCommentsValidator = [
   query('isLocal')
@@ -48,6 +55,13 @@ const listVideoCommentThreadsValidator = [
     if (areValidationErrors(req, res)) return
     if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
 
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot list comments of private/internal/blocklisted video'
+      })
+    }
+
     return next()
   }
 ]
@@ -65,6 +79,13 @@ const listVideoThreadCommentsValidator = [
     if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
     if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return
 
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot list threads of private/internal/blocklisted video'
+      })
+    }
+
     return next()
   }
 ]
-- 
cgit v1.2.3