Don't leak unlisted videos in comments feed

2020-04-21 09:01:39 +02:00 · 2020-04-21 09:01:39 +02:00 · 68b6fd21b1
parent b3af2601da
commit 68b6fd21b1
3 changed files with 18 additions and 4 deletions
--- a/server/controllers/feeds.ts
+++ b/server/controllers/feeds.ts
@ -67,7 +67,7 @@ async function generateVideoCommentsFeed (req: express.Request, res: express.Res
  const feed = initFeed(name, description)

  // Adding video items to the feed, one at a time
-  comments.forEach(comment => {
+  for (const comment of comments) {
    const link = WEBSERVER.URL + comment.getCommentStaticPath()

    let title = comment.Video.name
@ -89,7 +89,7 @@ async function generateVideoCommentsFeed (req: express.Request, res: express.Res
      author,
      date: comment.createdAt
    })
-  })
+  }

  // Now the feed generation is done, let's send it!
  return sendFeed(feed, req, res)
--- a/server/models/video/video-comment.ts
+++ b/server/models/video/video-comment.ts
@ -27,6 +27,7 @@ import {
  MCommentOwnerVideoReply
 } from '../../typings/models/video'
 import { MUserAccountId } from '@server/typings/models'
+import { VideoPrivacy } from '@shared/models'

 enum ScopeNames {
  WITH_ACCOUNT = 'WITH_ACCOUNT',
@ -390,7 +391,10 @@ export class VideoCommentModel extends Model<VideoCommentModel> {
        {
          attributes: [ 'name', 'uuid' ],
          model: VideoModel.unscoped(),
-          required: true
+          required: true,
+          where: {
+            privacy: VideoPrivacy.PUBLIC
+          }
        }
      ]
    }
--- a/server/tests/feeds/feeds.ts
+++ b/server/tests/feeds/feeds.ts
@ -19,6 +19,7 @@ import * as libxmljs from 'libxmljs'
 import { addVideoCommentThread } from '../../../shared/extra-utils/videos/video-comments'
 import { waitJobs } from '../../../shared/extra-utils/server/jobs'
 import { User } from '../../../shared/models/users'
+import { VideoPrivacy } from '@shared/models'

 chai.use(require('chai-xml'))
 chai.use(require('chai-json-schema'))
@ -77,6 +78,14 @@ describe('Test syndication feeds', () => {
      await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'super comment 2')
    }

+    {
+      const videoAttributes = { name: 'unlisted video', privacy: VideoPrivacy.UNLISTED }
+      const res = await uploadVideo(servers[0].url, servers[0].accessToken, videoAttributes)
+      const videoId = res.body.video.id
+
+      await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'comment on unlisted video')
+    }
+
    await waitJobs(servers)
  })

@ -196,7 +205,8 @@ describe('Test syndication feeds', () => {
  })

  describe('Video comments feed', function () {
-    it('Should contain valid comments (covers JSON feed 1.0 endpoint)', async function () {
+
+    it('Should contain valid comments (covers JSON feed 1.0 endpoint) and not from unlisted videos', async function () {
      for (const server of servers) {
        const json = await getJSONfeed(server.url, 'video-comments')