interesting
/
PeerTube
mirror of https://github.com/Chocobozzz/PeerTube.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix video right check

This commit is contained in:
Chocobozzz 2022-06-22 14:03:50 +02:00
parent ff9d43f62a
commit 2c2befaaca
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
4 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
server/middlewares/auth.ts
View File

@ -47,7 +47,7 @@ function authenticateSocket (socket: Socket, next: (err?: any) => void) {
.catch(err => logger.error('Cannot get access token.', { err })) .catch(err => logger.error('Cannot get access token.', { err }))
} }
function authenticatePromiseIfNeeded (req: express.Request, res: express.Response, authenticateInQuery = false) { function authenticatePromise (req: express.Request, res: express.Response, authenticateInQuery = false) {
return new Promise<void>(resolve => { return new Promise<void>(resolve => {
// Already authenticated? (or tried to) // Already authenticated? (or tried to)
if (res.locals.oauth?.token.User) return resolve() if (res.locals.oauth?.token.User) return resolve()
@ -76,6 +76,6 @@ function optionalAuthenticate (req: express.Request, res: express.Response, next
export { export {
authenticate, authenticate,
authenticateSocket, authenticateSocket,
authenticatePromiseIfNeeded, authenticatePromise,
optionalAuthenticate optionalAuthenticate
} }

13
server/middlewares/validators/shared/videos.ts
View File

@ -2,7 +2,7 @@ import { Request, Response } from 'express'
import { isUUIDValid } from '@server/helpers/custom-validators/misc' import { isUUIDValid } from '@server/helpers/custom-validators/misc'
import { loadVideo, VideoLoadType } from '@server/lib/model-loaders' import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
import { isAbleToUploadVideo } from '@server/lib/user' import { isAbleToUploadVideo } from '@server/lib/user'
import { authenticatePromiseIfNeeded } from '@server/middlewares/auth' import { authenticatePromise } from '@server/middlewares/auth'
import { VideoModel } from '@server/models/video/video' import { VideoModel } from '@server/models/video/video'
import { VideoChannelModel } from '@server/models/video/video-channel' import { VideoChannelModel } from '@server/models/video/video-channel'
import { VideoFileModel } from '@server/models/video/video-file' import { VideoFileModel } from '@server/models/video/video-file'
@ -137,7 +137,7 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
return false return false
} }
await authenticatePromiseIfNeeded(req, res, authenticateInQuery) await authenticatePromise(req, res, authenticateInQuery)
const user = res.locals.oauth?.token.User const user = res.locals.oauth?.token.User
if (!user) return fail() if (!user) return fail()
@ -154,14 +154,15 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
} }
const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id
if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) {
if (isOwnedByUser && user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true if (videoWithRights.isBlacklisted()) {
if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true
return fail() return fail()
} }
if (videoWithRights.isBlacklisted()) { if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) {
if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true if (isOwnedByUser || user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true
return fail() return fail()
} }

4
server/middlewares/validators/videos/video-playlists.ts
View File

@ -33,7 +33,7 @@ import { logger } from '../../../helpers/logger'
import { CONSTRAINTS_FIELDS } from '../../../initializers/constants' import { CONSTRAINTS_FIELDS } from '../../../initializers/constants'
import { VideoPlaylistElementModel } from '../../../models/video/video-playlist-element' import { VideoPlaylistElementModel } from '../../../models/video/video-playlist-element'
import { MVideoPlaylist } from '../../../types/models/video/video-playlist' import { MVideoPlaylist } from '../../../types/models/video/video-playlist'
import { authenticatePromiseIfNeeded } from '../../auth' import { authenticatePromise } from '../../auth'
import { import {
areValidationErrors, areValidationErrors,
doesVideoChannelIdExist, doesVideoChannelIdExist,
@ -161,7 +161,7 @@ const videoPlaylistsGetValidator = (fetchType: VideoPlaylistFetchType) => {
} }
if (videoPlaylist.privacy === VideoPlaylistPrivacy.PRIVATE) { if (videoPlaylist.privacy === VideoPlaylistPrivacy.PRIVATE) {
await authenticatePromiseIfNeeded(req, res) await authenticatePromise(req, res)
const user = res.locals.oauth ? res.locals.oauth.token.User : null const user = res.locals.oauth ? res.locals.oauth.token.User : null

2
server/tests/api/videos/video-privacy.ts
View File

@ -162,7 +162,7 @@ describe('Test video privacy', function () {
}) })
it('Should not be able to get this unlisted video using its id', async function () { it('Should not be able to get this unlisted video using its id', async function () {
await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.NOT_FOUND_404 }) await servers[1].videos.get({ id: unlistedVideo.id, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
}) })
it('Should be able to get this unlisted video using its uuid/shortUUID', async function () { it('Should be able to get this unlisted video using its uuid/shortUUID', async function () {