From 58b2ba55a90f05f24661e664b1fb0a3486f037e8 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Fri, 5 Aug 2016 21:41:28 +0200 Subject: Server: do not allow a user to remove a video of another user --- server/middlewares/validators/videos.js | 1 + 1 file changed, 1 insertion(+) (limited to 'server/middlewares') diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js index 9d21ee16f..e51087d5a 100644 --- a/server/middlewares/validators/videos.js +++ b/server/middlewares/validators/videos.js @@ -77,6 +77,7 @@ function videosRemove (req, res, next) { if (!video) return res.status(404).send('Video not found') else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod') + else if (video.author !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user') next() }) -- cgit v1.2.3