From 6d33593a0829a7f041127d50d4c455456550a47f Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Tue, 12 Sep 2017 12:53:55 +0200 Subject: Improve real world script --- server/middlewares/validators/videos.ts | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) (limited to 'server/middlewares') diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index 249da668d..519e3d46c 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts @@ -109,8 +109,6 @@ function videosRemoveValidator (req: express.Request, res: express.Response, nex checkErrors(req, res, () => { checkVideoExists(req.params.id, res, () => { - // We need to make additional checks - // Check if the user who did the request is able to delete the video checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, () => { next() @@ -205,17 +203,15 @@ function checkUserCanDeleteVideo (userId: number, res: express.Response, callbac // Retrieve the user who did the request db.User.loadById(userId) .then(user => { + if (res.locals.video.isOwned() === false) { + return res.status(403).send('Cannot remove video of another pod, blacklist it') + } + // Check if the user can delete the video // The user can delete it if s/he is an admin // Or if s/he is the video's author - if (user.isAdmin() === false) { - if (res.locals.video.isOwned() === false) { - return res.status(403).send('Cannot remove video of another pod') - } - - if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { - return res.status(403).send('Cannot remove video of another user') - } + if (user.isAdmin() === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { + return res.status(403).send('Cannot remove video of another user') } // If we reach this comment, we can delete the video -- cgit v1.2.3