From 6ea9295b8f5dd7cc254202a79aad61c666cc4259 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Tue, 22 Feb 2022 14:16:34 +0100 Subject: Check video privacy when creating comments/rates --- server/tests/api/check-params/video-comments.ts | 39 +++++++++++++++++++++---- server/tests/api/check-params/videos.ts | 18 ++++++++++++ 2 files changed, 51 insertions(+), 6 deletions(-) (limited to 'server/tests/api/check-params') diff --git a/server/tests/api/check-params/video-comments.ts b/server/tests/api/check-params/video-comments.ts index 829f3c8b1..624d657d3 100644 --- a/server/tests/api/check-params/video-comments.ts +++ b/server/tests/api/check-params/video-comments.ts @@ -19,10 +19,14 @@ const expect = chai.expect describe('Test video comments API validator', function () { let pathThread: string let pathComment: string + let server: PeerTubeServer + let video: VideoCreateResult + let userAccessToken: string let userAccessToken2: string + let commentId: number let privateCommentId: number let privateVideo: VideoCreateResult @@ -203,9 +207,8 @@ describe('Test video comments API validator', function () { it('Should fail with an incorrect video', async function () { const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads' - const fields = { - text: 'super comment' - } + const fields = { text: 'super comment' } + await makePostBodyRequest({ url: server.url, path, @@ -215,10 +218,21 @@ describe('Test video comments API validator', function () { }) }) + it('Should fail with a private video of another user', async function () { + const fields = { text: 'super comment' } + + await makePostBodyRequest({ + url: server.url, + path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads', + token: userAccessToken, + fields, + expectedStatus: HttpStatusCode.FORBIDDEN_403 + }) + }) + it('Should succeed with the correct parameters', async function () { - const fields = { - text: 'super comment' - } + const fields = { text: 'super comment' } + await makePostBodyRequest({ url: server.url, path: pathThread, @@ -230,6 +244,7 @@ describe('Test video comments API validator', function () { }) describe('When adding a comment to a thread', function () { + it('Should fail with a non authenticated user', async function () { const fields = { text: 'text' @@ -276,6 +291,18 @@ describe('Test video comments API validator', function () { }) }) + it('Should fail with a private video of another user', async function () { + const fields = { text: 'super comment' } + + await makePostBodyRequest({ + url: server.url, + path: '/api/v1/videos/' + privateVideo.uuid + '/comments/' + privateCommentId, + token: userAccessToken, + fields, + expectedStatus: HttpStatusCode.FORBIDDEN_403 + }) + }) + it('Should fail with an incorrect comment', async function () { const path = '/api/v1/videos/' + video.uuid + '/comments/124' const fields = { diff --git a/server/tests/api/check-params/videos.ts b/server/tests/api/check-params/videos.ts index 4cc70f5cc..41064d2ff 100644 --- a/server/tests/api/check-params/videos.ts +++ b/server/tests/api/check-params/videos.ts @@ -28,6 +28,7 @@ describe('Test videos API validator', function () { let channelId: number let channelName: string let video: VideoCreateResult + let privateVideo: VideoCreateResult // --------------------------------------------------------------- @@ -49,6 +50,10 @@ describe('Test videos API validator', function () { channelName = body.videoChannels[0].name accountName = body.account.name + '@' + body.account.host } + + { + privateVideo = await server.videos.quickUpload({ name: 'private video', privacy: VideoPrivacy.PRIVATE }) + } }) describe('When listing videos', function () { @@ -783,6 +788,19 @@ describe('Test videos API validator', function () { await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields }) }) + it('Should fail with a private video of another user', async function () { + const fields = { + rating: 'like' + } + await makePutBodyRequest({ + url: server.url, + path: path + privateVideo.uuid + '/rate', + token: userAccessToken, + fields, + expectedStatus: HttpStatusCode.FORBIDDEN_403 + }) + }) + it('Should succeed with the correct parameters', async function () { const fields = { rating: 'like' -- cgit v1.2.3