From 6ea9295b8f5dd7cc254202a79aad61c666cc4259 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Tue, 22 Feb 2022 14:16:34 +0100 Subject: [PATCH] Check video privacy when creating comments/rates --- .../validators/videos/video-comments.ts | 16 ++++++++ .../validators/videos/video-rates.ts | 9 ++++- .../tests/api/check-params/video-comments.ts | 39 ++++++++++++++++--- server/tests/api/check-params/videos.ts | 18 +++++++++ 4 files changed, 75 insertions(+), 7 deletions(-) diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts index 91ae31ec2..91e85711d 100644 --- a/server/middlewares/validators/videos/video-comments.ts +++ b/server/middlewares/validators/videos/video-comments.ts @@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [ if (areValidationErrors(req, res)) return if (!await doesVideoExist(req.params.videoId, res)) return + + if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) { + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Cannot access to this ressource' + }) + } + if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return @@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [ if (areValidationErrors(req, res)) return if (!await doesVideoExist(req.params.videoId, res)) return + + if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) { + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Cannot access to this ressource' + }) + } + if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts index 6e0bb0ad1..923bf3eaf 100644 --- a/server/middlewares/validators/videos/video-rates.ts +++ b/server/middlewares/validators/videos/video-rates.ts @@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates' import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos' import { logger } from '../../../helpers/logger' import { AccountVideoRateModel } from '../../../models/account/account-video-rate' -import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared' +import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared' const videoUpdateRateValidator = [ isValidVideoIdParam('id'), @@ -21,6 +21,13 @@ const videoUpdateRateValidator = [ if (areValidationErrors(req, res)) return if (!await doesVideoExist(req.params.id, res)) return + if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) { + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Cannot access to this ressource' + }) + } + return next() } ] diff --git a/server/tests/api/check-params/video-comments.ts b/server/tests/api/check-params/video-comments.ts index 829f3c8b1..624d657d3 100644 --- a/server/tests/api/check-params/video-comments.ts +++ b/server/tests/api/check-params/video-comments.ts @@ -19,10 +19,14 @@ const expect = chai.expect describe('Test video comments API validator', function () { let pathThread: string let pathComment: string + let server: PeerTubeServer + let video: VideoCreateResult + let userAccessToken: string let userAccessToken2: string + let commentId: number let privateCommentId: number let privateVideo: VideoCreateResult @@ -203,9 +207,8 @@ describe('Test video comments API validator', function () { it('Should fail with an incorrect video', async function () { const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads' - const fields = { - text: 'super comment' - } + const fields = { text: 'super comment' } + await makePostBodyRequest({ url: server.url, path, @@ -215,10 +218,21 @@ describe('Test video comments API validator', function () { }) }) + it('Should fail with a private video of another user', async function () { + const fields = { text: 'super comment' } + + await makePostBodyRequest({ + url: server.url, + path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads', + token: userAccessToken, + fields, + expectedStatus: HttpStatusCode.FORBIDDEN_403 + }) + }) + it('Should succeed with the correct parameters', async function () { - const fields = { - text: 'super comment' - } + const fields = { text: 'super comment' } + await makePostBodyRequest({ url: server.url, path: pathThread, @@ -230,6 +244,7 @@ describe('Test video comments API validator', function () { }) describe('When adding a comment to a thread', function () { + it('Should fail with a non authenticated user', async function () { const fields = { text: 'text' @@ -276,6 +291,18 @@ describe('Test video comments API validator', function () { }) }) + it('Should fail with a private video of another user', async function () { + const fields = { text: 'super comment' } + + await makePostBodyRequest({ + url: server.url, + path: '/api/v1/videos/' + privateVideo.uuid + '/comments/' + privateCommentId, + token: userAccessToken, + fields, + expectedStatus: HttpStatusCode.FORBIDDEN_403 + }) + }) + it('Should fail with an incorrect comment', async function () { const path = '/api/v1/videos/' + video.uuid + '/comments/124' const fields = { diff --git a/server/tests/api/check-params/videos.ts b/server/tests/api/check-params/videos.ts index 4cc70f5cc..41064d2ff 100644 --- a/server/tests/api/check-params/videos.ts +++ b/server/tests/api/check-params/videos.ts @@ -28,6 +28,7 @@ describe('Test videos API validator', function () { let channelId: number let channelName: string let video: VideoCreateResult + let privateVideo: VideoCreateResult // --------------------------------------------------------------- @@ -49,6 +50,10 @@ describe('Test videos API validator', function () { channelName = body.videoChannels[0].name accountName = body.account.name + '@' + body.account.host } + + { + privateVideo = await server.videos.quickUpload({ name: 'private video', privacy: VideoPrivacy.PRIVATE }) + } }) describe('When listing videos', function () { @@ -783,6 +788,19 @@ describe('Test videos API validator', function () { await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields }) }) + it('Should fail with a private video of another user', async function () { + const fields = { + rating: 'like' + } + await makePutBodyRequest({ + url: server.url, + path: path + privateVideo.uuid + '/rate', + token: userAccessToken, + fields, + expectedStatus: HttpStatusCode.FORBIDDEN_403 + }) + }) + it('Should succeed with the correct parameters', async function () { const fields = { rating: 'like'