From 58b2ba55a90f05f24661e664b1fb0a3486f037e8 Mon Sep 17 00:00:00 2001
From: Chocobozzz <florian.bigard@gmail.com>
Date: Fri, 5 Aug 2016 21:41:28 +0200
Subject: Server: do not allow a user to remove a video of another user

---
 server/middlewares/validators/videos.js | 1 +
 1 file changed, 1 insertion(+)

(limited to 'server/middlewares')

diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 9d21ee16f..e51087d5a 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -77,6 +77,7 @@ function videosRemove (req, res, next) {
 
       if (!video) return res.status(404).send('Video not found')
       else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod')
+      else if (video.author !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user')
 
       next()
     })
-- 
cgit v1.2.3