interesting
/
PeerTube
mirror of https://github.com/Chocobozzz/PeerTube.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Don't leak unlisted videos in comments feed

This commit is contained in:
Chocobozzz 2020-04-21 09:01:39 +02:00
parent b3af2601da
commit 68b6fd21b1
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
3 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
server/controllers/feeds.ts
View File

@ -67,7 +67,7 @@ async function generateVideoCommentsFeed (req: express.Request, res: express.Res
const feed = initFeed(name, description) const feed = initFeed(name, description)
// Adding video items to the feed, one at a time // Adding video items to the feed, one at a time
comments.forEach(comment => { for (const comment of comments) {
const link = WEBSERVER.URL + comment.getCommentStaticPath() const link = WEBSERVER.URL + comment.getCommentStaticPath()
let title = comment.Video.name let title = comment.Video.name
@ -89,7 +89,7 @@ async function generateVideoCommentsFeed (req: express.Request, res: express.Res
author, author,
date: comment.createdAt date: comment.createdAt
}) })
}) }
// Now the feed generation is done, let's send it! // Now the feed generation is done, let's send it!
return sendFeed(feed, req, res) return sendFeed(feed, req, res)

6
server/models/video/video-comment.ts
View File

@ -27,6 +27,7 @@ import {
MCommentOwnerVideoReply MCommentOwnerVideoReply
} from '../../typings/models/video' } from '../../typings/models/video'
import { MUserAccountId } from '@server/typings/models' import { MUserAccountId } from '@server/typings/models'
import { VideoPrivacy } from '@shared/models'
enum ScopeNames { enum ScopeNames {
WITH_ACCOUNT = 'WITH_ACCOUNT', WITH_ACCOUNT = 'WITH_ACCOUNT',
@ -390,7 +391,10 @@ export class VideoCommentModel extends Model<VideoCommentModel> {
{ {
attributes: [ 'name', 'uuid' ], attributes: [ 'name', 'uuid' ],
model: VideoModel.unscoped(), model: VideoModel.unscoped(),
required: true required: true,
where: {
privacy: VideoPrivacy.PUBLIC
}
} }
] ]
} }

12
server/tests/feeds/feeds.ts
View File

@ -19,6 +19,7 @@ import * as libxmljs from 'libxmljs'
import { addVideoCommentThread } from '../../../shared/extra-utils/videos/video-comments' import { addVideoCommentThread } from '../../../shared/extra-utils/videos/video-comments'
import { waitJobs } from '../../../shared/extra-utils/server/jobs' import { waitJobs } from '../../../shared/extra-utils/server/jobs'
import { User } from '../../../shared/models/users' import { User } from '../../../shared/models/users'
import { VideoPrivacy } from '@shared/models'
chai.use(require('chai-xml')) chai.use(require('chai-xml'))
chai.use(require('chai-json-schema')) chai.use(require('chai-json-schema'))
@ -77,6 +78,14 @@ describe('Test syndication feeds', () => {
await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'super comment 2') await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'super comment 2')
} }
{
const videoAttributes = { name: 'unlisted video', privacy: VideoPrivacy.UNLISTED }
const res = await uploadVideo(servers[0].url, servers[0].accessToken, videoAttributes)
const videoId = res.body.video.id
await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'comment on unlisted video')
}
await waitJobs(servers) await waitJobs(servers)
}) })
@ -196,7 +205,8 @@ describe('Test syndication feeds', () => {
}) })
describe('Video comments feed', function () { describe('Video comments feed', function () {
it('Should contain valid comments (covers JSON feed 1.0 endpoint)', async function () {
it('Should contain valid comments (covers JSON feed 1.0 endpoint) and not from unlisted videos', async function () {
for (const server of servers) { for (const server of servers) {
const json = await getJSONfeed(server.url, 'video-comments') const json = await getJSONfeed(server.url, 'video-comments')