Merge branch 'release/4.0.0' into develop
This commit is contained in:
commit
c3edc5b074
8 changed files with 132 additions and 22 deletions
|
@ -49,7 +49,7 @@ export {
|
|||
// ---------------------------------------------------------------------------
|
||||
|
||||
async function listVideoCaptions (req: express.Request, res: express.Response) {
|
||||
const data = await VideoCaptionModel.listVideoCaptions(res.locals.videoId.id)
|
||||
const data = await VideoCaptionModel.listVideoCaptions(res.locals.onlyVideo.id)
|
||||
|
||||
return res.json(getFormattedObjects(data, data.length))
|
||||
}
|
||||
|
|
|
@ -10,13 +10,15 @@ import {
|
|||
ensureUserHasRight,
|
||||
videoFileMetadataGetValidator,
|
||||
videoFilesDeleteHLSValidator,
|
||||
videoFilesDeleteWebTorrentValidator
|
||||
videoFilesDeleteWebTorrentValidator,
|
||||
videosGetValidator
|
||||
} from '../../../middlewares'
|
||||
|
||||
const lTags = loggerTagsFactory('api', 'video')
|
||||
const filesRouter = express.Router()
|
||||
|
||||
filesRouter.get('/:id/metadata/:videoFileId',
|
||||
asyncMiddleware(videosGetValidator),
|
||||
asyncMiddleware(videoFileMetadataGetValidator),
|
||||
asyncMiddleware(getVideoFileMetadata)
|
||||
)
|
||||
|
|
|
@ -1,16 +1,20 @@
|
|||
import { Response } from 'express'
|
||||
import { Request, Response } from 'express'
|
||||
import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
|
||||
import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'
|
||||
import { VideoModel } from '@server/models/video/video'
|
||||
import { VideoChannelModel } from '@server/models/video/video-channel'
|
||||
import { VideoFileModel } from '@server/models/video/video-file'
|
||||
import {
|
||||
MUser,
|
||||
MUserAccountId,
|
||||
MVideo,
|
||||
MVideoAccountLight,
|
||||
MVideoFormattableDetails,
|
||||
MVideoFullLight,
|
||||
MVideoId,
|
||||
MVideoImmutable,
|
||||
MVideoThumbnail
|
||||
MVideoThumbnail,
|
||||
MVideoWithRights
|
||||
} from '@server/types/models'
|
||||
import { HttpStatusCode, UserRight } from '@shared/models'
|
||||
|
||||
|
@ -89,6 +93,27 @@ async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAcc
|
|||
return true
|
||||
}
|
||||
|
||||
async function checkCanSeeVideoIfPrivate (req: Request, res: Response, video: MVideo, authenticateInQuery = false) {
|
||||
if (!video.requiresAuth()) return true
|
||||
|
||||
const videoWithRights = await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id)
|
||||
|
||||
return checkCanSeePrivateVideo(req, res, videoWithRights, authenticateInQuery)
|
||||
}
|
||||
|
||||
async function checkCanSeePrivateVideo (req: Request, res: Response, video: MVideoWithRights, authenticateInQuery = false) {
|
||||
await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
|
||||
|
||||
const user = res.locals.oauth ? res.locals.oauth.token.User : null
|
||||
|
||||
// Only the owner or a user that have blocklist rights can see the video
|
||||
if (!user || !user.canGetVideo(video)) {
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
|
||||
// Retrieve the user who did the request
|
||||
if (onlyOwned && video.isOwned() === false) {
|
||||
|
@ -120,5 +145,7 @@ export {
|
|||
doesVideoChannelOfAccountExist,
|
||||
doesVideoExist,
|
||||
doesVideoFileOfVideoExist,
|
||||
checkUserCanManageVideo
|
||||
checkUserCanManageVideo,
|
||||
checkCanSeeVideoIfPrivate,
|
||||
checkCanSeePrivateVideo
|
||||
}
|
||||
|
|
|
@ -1,11 +1,18 @@
|
|||
import express from 'express'
|
||||
import { body, param } from 'express-validator'
|
||||
import { UserRight } from '@shared/models'
|
||||
import { HttpStatusCode, UserRight } from '@shared/models'
|
||||
import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions'
|
||||
import { cleanUpReqFiles } from '../../../helpers/express-utils'
|
||||
import { logger } from '../../../helpers/logger'
|
||||
import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants'
|
||||
import { areValidationErrors, checkUserCanManageVideo, doesVideoCaptionExist, doesVideoExist, isValidVideoIdParam } from '../shared'
|
||||
import {
|
||||
areValidationErrors,
|
||||
checkCanSeeVideoIfPrivate,
|
||||
checkUserCanManageVideo,
|
||||
doesVideoCaptionExist,
|
||||
doesVideoExist,
|
||||
isValidVideoIdParam
|
||||
} from '../shared'
|
||||
|
||||
const addVideoCaptionValidator = [
|
||||
isValidVideoIdParam('videoId'),
|
||||
|
@ -64,7 +71,16 @@ const listVideoCaptionsValidator = [
|
|||
logger.debug('Checking listVideoCaptions parameters', { parameters: req.params })
|
||||
|
||||
if (areValidationErrors(req, res)) return
|
||||
if (!await doesVideoExist(req.params.videoId, res, 'id')) return
|
||||
if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
|
||||
|
||||
const video = res.locals.onlyVideo
|
||||
|
||||
if (!await checkCanSeeVideoIfPrivate(req, res, video)) {
|
||||
return res.fail({
|
||||
status: HttpStatusCode.FORBIDDEN_403,
|
||||
message: 'Cannot list captions of private/internal/blocklisted video'
|
||||
})
|
||||
}
|
||||
|
||||
return next()
|
||||
}
|
||||
|
|
|
@ -13,6 +13,7 @@ import { CONFIG } from '../../../initializers/config'
|
|||
import { CONSTRAINTS_FIELDS } from '../../../initializers/constants'
|
||||
import { areValidationErrors, doesVideoChannelOfAccountExist } from '../shared'
|
||||
import { getCommonVideoEditAttributes } from './videos'
|
||||
import { isValid as isIPValid, parse as parseIP } from 'ipaddr.js'
|
||||
|
||||
const videoImportAddValidator = getCommonVideoEditAttributes().concat([
|
||||
body('channelId')
|
||||
|
@ -71,6 +72,23 @@ const videoImportAddValidator = getCommonVideoEditAttributes().concat([
|
|||
return res.fail({ message: 'Should have a magnetUri or a targetUrl or a torrent file.' })
|
||||
}
|
||||
|
||||
if (req.body.targetUrl) {
|
||||
const hostname = new URL(req.body.targetUrl).hostname
|
||||
|
||||
if (isIPValid(hostname)) {
|
||||
const parsed = parseIP(hostname)
|
||||
|
||||
if (parsed.range() !== 'unicast') {
|
||||
cleanUpReqFiles(req)
|
||||
|
||||
return res.fail({
|
||||
status: HttpStatusCode.FORBIDDEN_403,
|
||||
message: 'Cannot use non unicast IP as targetUrl.'
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!await isImportAccepted(req, res)) return cleanUpReqFiles(req)
|
||||
|
||||
return next()
|
||||
|
|
|
@ -49,9 +49,9 @@ import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants'
|
|||
import { isLocalVideoAccepted } from '../../../lib/moderation'
|
||||
import { Hooks } from '../../../lib/plugins/hooks'
|
||||
import { VideoModel } from '../../../models/video/video'
|
||||
import { authenticatePromiseIfNeeded } from '../../auth'
|
||||
import {
|
||||
areValidationErrors,
|
||||
checkCanSeePrivateVideo,
|
||||
checkUserCanManageVideo,
|
||||
doesVideoChannelOfAccountExist,
|
||||
doesVideoExist,
|
||||
|
@ -315,21 +315,14 @@ const videosCustomGetValidator = (
|
|||
|
||||
// Video private or blacklisted
|
||||
if (video.requiresAuth()) {
|
||||
await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
|
||||
if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) return next()
|
||||
|
||||
const user = res.locals.oauth ? res.locals.oauth.token.User : null
|
||||
|
||||
// Only the owner or a user that have blocklist rights can see the video
|
||||
if (!user || !user.canGetVideo(video)) {
|
||||
return res.fail({
|
||||
status: HttpStatusCode.FORBIDDEN_403,
|
||||
message: 'Cannot get this private/internal or blocklisted video'
|
||||
})
|
||||
}
|
||||
|
||||
return next()
|
||||
}
|
||||
|
||||
// Video is public, anyone can access it
|
||||
if (video.privacy === VideoPrivacy.PUBLIC) return next()
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
import 'mocha'
|
||||
import { buildAbsoluteFixturePath } from '@shared/core-utils'
|
||||
import { HttpStatusCode, VideoCreateResult } from '@shared/models'
|
||||
import { HttpStatusCode, VideoCreateResult, VideoPrivacy } from '@shared/models'
|
||||
import {
|
||||
cleanupTests,
|
||||
createSingleServer,
|
||||
|
@ -19,6 +19,7 @@ describe('Test video captions API validator', function () {
|
|||
let server: PeerTubeServer
|
||||
let userAccessToken: string
|
||||
let video: VideoCreateResult
|
||||
let privateVideo: VideoCreateResult
|
||||
|
||||
// ---------------------------------------------------------------
|
||||
|
||||
|
@ -30,6 +31,7 @@ describe('Test video captions API validator', function () {
|
|||
await setAccessTokensToServers([ server ])
|
||||
|
||||
video = await server.videos.upload()
|
||||
privateVideo = await server.videos.upload({ attributes: { privacy: VideoPrivacy.PRIVATE } })
|
||||
|
||||
{
|
||||
const user = {
|
||||
|
@ -204,8 +206,32 @@ describe('Test video captions API validator', function () {
|
|||
})
|
||||
})
|
||||
|
||||
it('Should fail with a private video without token', async function () {
|
||||
await makeGetRequest({
|
||||
url: server.url,
|
||||
path: path + privateVideo.shortUUID + '/captions',
|
||||
expectedStatus: HttpStatusCode.UNAUTHORIZED_401
|
||||
})
|
||||
})
|
||||
|
||||
it('Should fail with another user token', async function () {
|
||||
await makeGetRequest({
|
||||
url: server.url,
|
||||
token: userAccessToken,
|
||||
path: path + privateVideo.shortUUID + '/captions',
|
||||
expectedStatus: HttpStatusCode.FORBIDDEN_403
|
||||
})
|
||||
})
|
||||
|
||||
it('Should success with the correct parameters', async function () {
|
||||
await makeGetRequest({ url: server.url, path: path + video.shortUUID + '/captions', expectedStatus: HttpStatusCode.OK_200 })
|
||||
|
||||
await makeGetRequest({
|
||||
url: server.url,
|
||||
path: path + privateVideo.shortUUID + '/captions',
|
||||
token: server.accessToken,
|
||||
expectedStatus: HttpStatusCode.OK_200
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
|
|
|
@ -105,6 +105,34 @@ describe('Test video imports API validator', function () {
|
|||
await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
|
||||
})
|
||||
|
||||
it('Should fail with localhost', async function () {
|
||||
const fields = { ...baseCorrectParams, targetUrl: 'http://localhost:8000' }
|
||||
|
||||
await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
|
||||
})
|
||||
|
||||
it('Should fail with a private IP target urls', async function () {
|
||||
const targetUrls = [
|
||||
'http://127.0.0.1:8000',
|
||||
'http://127.0.0.1',
|
||||
'http://127.0.0.1/hello',
|
||||
'https://192.168.1.42',
|
||||
'http://192.168.1.42'
|
||||
]
|
||||
|
||||
for (const targetUrl of targetUrls) {
|
||||
const fields = { ...baseCorrectParams, targetUrl }
|
||||
|
||||
await makePostBodyRequest({
|
||||
url: server.url,
|
||||
path,
|
||||
token: server.accessToken,
|
||||
fields,
|
||||
expectedStatus: HttpStatusCode.FORBIDDEN_403
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
it('Should fail with a long name', async function () {
|
||||
const fields = { ...baseCorrectParams, name: 'super'.repeat(65) }
|
||||
|
||||
|
|
Loading…
Reference in a new issue