Check video privacy when creating comments/rates
This commit is contained in:
parent
fdd5da058a
commit
6ea9295b8f
4 changed files with 75 additions and 7 deletions
|
@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [
|
|||
|
||||
if (areValidationErrors(req, res)) return
|
||||
if (!await doesVideoExist(req.params.videoId, res)) return
|
||||
|
||||
if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
|
||||
return res.fail({
|
||||
status: HttpStatusCode.FORBIDDEN_403,
|
||||
message: 'Cannot access to this ressource'
|
||||
})
|
||||
}
|
||||
|
||||
if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
|
||||
if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
|
||||
|
||||
|
@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [
|
|||
|
||||
if (areValidationErrors(req, res)) return
|
||||
if (!await doesVideoExist(req.params.videoId, res)) return
|
||||
|
||||
if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
|
||||
return res.fail({
|
||||
status: HttpStatusCode.FORBIDDEN_403,
|
||||
message: 'Cannot access to this ressource'
|
||||
})
|
||||
}
|
||||
|
||||
if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
|
||||
if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
|
||||
if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
|
||||
|
|
|
@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
|
|||
import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
|
||||
import { logger } from '../../../helpers/logger'
|
||||
import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
|
||||
import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared'
|
||||
import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared'
|
||||
|
||||
const videoUpdateRateValidator = [
|
||||
isValidVideoIdParam('id'),
|
||||
|
@ -21,6 +21,13 @@ const videoUpdateRateValidator = [
|
|||
if (areValidationErrors(req, res)) return
|
||||
if (!await doesVideoExist(req.params.id, res)) return
|
||||
|
||||
if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
|
||||
return res.fail({
|
||||
status: HttpStatusCode.FORBIDDEN_403,
|
||||
message: 'Cannot access to this ressource'
|
||||
})
|
||||
}
|
||||
|
||||
return next()
|
||||
}
|
||||
]
|
||||
|
|
|
@ -19,10 +19,14 @@ const expect = chai.expect
|
|||
describe('Test video comments API validator', function () {
|
||||
let pathThread: string
|
||||
let pathComment: string
|
||||
|
||||
let server: PeerTubeServer
|
||||
|
||||
let video: VideoCreateResult
|
||||
|
||||
let userAccessToken: string
|
||||
let userAccessToken2: string
|
||||
|
||||
let commentId: number
|
||||
let privateCommentId: number
|
||||
let privateVideo: VideoCreateResult
|
||||
|
@ -203,9 +207,8 @@ describe('Test video comments API validator', function () {
|
|||
|
||||
it('Should fail with an incorrect video', async function () {
|
||||
const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads'
|
||||
const fields = {
|
||||
text: 'super comment'
|
||||
}
|
||||
const fields = { text: 'super comment' }
|
||||
|
||||
await makePostBodyRequest({
|
||||
url: server.url,
|
||||
path,
|
||||
|
@ -215,10 +218,21 @@ describe('Test video comments API validator', function () {
|
|||
})
|
||||
})
|
||||
|
||||
it('Should fail with a private video of another user', async function () {
|
||||
const fields = { text: 'super comment' }
|
||||
|
||||
await makePostBodyRequest({
|
||||
url: server.url,
|
||||
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
|
||||
token: userAccessToken,
|
||||
fields,
|
||||
expectedStatus: HttpStatusCode.FORBIDDEN_403
|
||||
})
|
||||
})
|
||||
|
||||
it('Should succeed with the correct parameters', async function () {
|
||||
const fields = {
|
||||
text: 'super comment'
|
||||
}
|
||||
const fields = { text: 'super comment' }
|
||||
|
||||
await makePostBodyRequest({
|
||||
url: server.url,
|
||||
path: pathThread,
|
||||
|
@ -230,6 +244,7 @@ describe('Test video comments API validator', function () {
|
|||
})
|
||||
|
||||
describe('When adding a comment to a thread', function () {
|
||||
|
||||
it('Should fail with a non authenticated user', async function () {
|
||||
const fields = {
|
||||
text: 'text'
|
||||
|
@ -276,6 +291,18 @@ describe('Test video comments API validator', function () {
|
|||
})
|
||||
})
|
||||
|
||||
it('Should fail with a private video of another user', async function () {
|
||||
const fields = { text: 'super comment' }
|
||||
|
||||
await makePostBodyRequest({
|
||||
url: server.url,
|
||||
path: '/api/v1/videos/' + privateVideo.uuid + '/comments/' + privateCommentId,
|
||||
token: userAccessToken,
|
||||
fields,
|
||||
expectedStatus: HttpStatusCode.FORBIDDEN_403
|
||||
})
|
||||
})
|
||||
|
||||
it('Should fail with an incorrect comment', async function () {
|
||||
const path = '/api/v1/videos/' + video.uuid + '/comments/124'
|
||||
const fields = {
|
||||
|
|
|
@ -28,6 +28,7 @@ describe('Test videos API validator', function () {
|
|||
let channelId: number
|
||||
let channelName: string
|
||||
let video: VideoCreateResult
|
||||
let privateVideo: VideoCreateResult
|
||||
|
||||
// ---------------------------------------------------------------
|
||||
|
||||
|
@ -49,6 +50,10 @@ describe('Test videos API validator', function () {
|
|||
channelName = body.videoChannels[0].name
|
||||
accountName = body.account.name + '@' + body.account.host
|
||||
}
|
||||
|
||||
{
|
||||
privateVideo = await server.videos.quickUpload({ name: 'private video', privacy: VideoPrivacy.PRIVATE })
|
||||
}
|
||||
})
|
||||
|
||||
describe('When listing videos', function () {
|
||||
|
@ -783,6 +788,19 @@ describe('Test videos API validator', function () {
|
|||
await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields })
|
||||
})
|
||||
|
||||
it('Should fail with a private video of another user', async function () {
|
||||
const fields = {
|
||||
rating: 'like'
|
||||
}
|
||||
await makePutBodyRequest({
|
||||
url: server.url,
|
||||
path: path + privateVideo.uuid + '/rate',
|
||||
token: userAccessToken,
|
||||
fields,
|
||||
expectedStatus: HttpStatusCode.FORBIDDEN_403
|
||||
})
|
||||
})
|
||||
|
||||
it('Should succeed with the correct parameters', async function () {
|
||||
const fields = {
|
||||
rating: 'like'
|
||||
|
|
Loading…
Reference in a new issue