Server: rights check for update a video

2017-01-11 18:41:09 +01:00 · 2017-01-11 18:41:09 +01:00 · 45abb8b97b
commit 45abb8b97b
parent d8cc063e97
2 changed files with 12 additions and 0 deletions
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@ -53,6 +53,14 @@ function videosUpdate (req, res, next) {
  logger.debug('Checking videosUpdate parameters', { parameters: req.body })

  checkErrors(req, res, function () {
+    if (res.locals.video.isOwned() === false) {
+      return res.status(403).send('Cannot update video of another pod')
+    }
+
+    if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
+      return res.status(403).send('Cannot update video of another user')
+    }
+
    checkVideoExists(req.params.id, res, next)
  })
 }
--- a/server/tests/api/check-params/videos.js
+++ b/server/tests/api/check-params/videos.js
@ -378,6 +378,10 @@ describe('Test videos API validator', function () {
      }
      requestsUtils.makePutBodyRequest(server.url, path + videoId, server.accessToken, data, done)
    })
+
+    it('Should fail with a video of another user')
+
+    it('Should fail with a video of another pod')
  })

  describe('When getting a video', function () {