Check video privacy when creating comments/rates
This commit is contained in:
Chocobozzz
parent
fdd5da058a
commit
6ea9295b8f
|
|
@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [
|
||||||
|
|
||||||
if (areValidationErrors(req, res)) return
|
if (areValidationErrors(req, res)) return
|
||||||
if (!await doesVideoExist(req.params.videoId, res)) return
|
if (!await doesVideoExist(req.params.videoId, res)) return
|
||||||
|
|
||||||
|
if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
|
||||||
|
return res.fail({
|
||||||
|
status: HttpStatusCode.FORBIDDEN_403,
|
||||||
|
message: 'Cannot access to this ressource'
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
|
if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
|
||||||
if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
|
if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
|
||||||
|
|
||||||
|
|
@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [
|
||||||
|
|
||||||
if (areValidationErrors(req, res)) return
|
if (areValidationErrors(req, res)) return
|
||||||
if (!await doesVideoExist(req.params.videoId, res)) return
|
if (!await doesVideoExist(req.params.videoId, res)) return
|
||||||
|
|
||||||
|
if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
|
||||||
|
return res.fail({
|
||||||
|
status: HttpStatusCode.FORBIDDEN_403,
|
||||||
|
message: 'Cannot access to this ressource'
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
|
if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
|
||||||
if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
|
if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
|
||||||
if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
|
if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
|
||||||
import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
|
import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
|
||||||
import { logger } from '../../../helpers/logger'
|
import { logger } from '../../../helpers/logger'
|
||||||
import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
|
import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
|
||||||
import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared'
|
import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared'
|
||||||
|
|
||||||
const videoUpdateRateValidator = [
|
const videoUpdateRateValidator = [
|
||||||
isValidVideoIdParam('id'),
|
isValidVideoIdParam('id'),
|
||||||
|
|
@ -21,6 +21,13 @@ const videoUpdateRateValidator = [
|
||||||
if (areValidationErrors(req, res)) return
|
if (areValidationErrors(req, res)) return
|
||||||
if (!await doesVideoExist(req.params.id, res)) return
|
if (!await doesVideoExist(req.params.id, res)) return
|
||||||
|
|
||||||
|
if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
|
||||||
|
return res.fail({
|
||||||
|
status: HttpStatusCode.FORBIDDEN_403,
|
||||||
|
message: 'Cannot access to this ressource'
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
return next()
|
return next()
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
|
||||||
|
|
@ -19,10 +19,14 @@ const expect = chai.expect
|
||||||
describe('Test video comments API validator', function () {
|
describe('Test video comments API validator', function () {
|
||||||
let pathThread: string
|
let pathThread: string
|
||||||
let pathComment: string
|
let pathComment: string
|
||||||
|
|
||||||
let server: PeerTubeServer
|
let server: PeerTubeServer
|
||||||
|
|
||||||
let video: VideoCreateResult
|
let video: VideoCreateResult
|
||||||
|
|
||||||
let userAccessToken: string
|
let userAccessToken: string
|
||||||
let userAccessToken2: string
|
let userAccessToken2: string
|
||||||
|
|
||||||
let commentId: number
|
let commentId: number
|
||||||
let privateCommentId: number
|
let privateCommentId: number
|
||||||
let privateVideo: VideoCreateResult
|
let privateVideo: VideoCreateResult
|
||||||
|
|
@ -203,9 +207,8 @@ describe('Test video comments API validator', function () {
|
||||||
|
|
||||||
it('Should fail with an incorrect video', async function () {
|
it('Should fail with an incorrect video', async function () {
|
||||||
const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads'
|
const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads'
|
||||||
const fields = {
|
const fields = { text: 'super comment' }
|
||||||
text: 'super comment'
|
|
||||||
}
|
|
||||||
await makePostBodyRequest({
|
await makePostBodyRequest({
|
||||||
url: server.url,
|
url: server.url,
|
||||||
path,
|
path,
|
||||||
|
|
@ -215,10 +218,21 @@ describe('Test video comments API validator', function () {
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
it('Should fail with a private video of another user', async function () {
|
||||||
|
const fields = { text: 'super comment' }
|
||||||
|
|
||||||
|
await makePostBodyRequest({
|
||||||
|
url: server.url,
|
||||||
|
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
|
||||||
|
token: userAccessToken,
|
||||||
|
fields,
|
||||||
|
expectedStatus: HttpStatusCode.FORBIDDEN_403
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
it('Should succeed with the correct parameters', async function () {
|
it('Should succeed with the correct parameters', async function () {
|
||||||
const fields = {
|
const fields = { text: 'super comment' }
|
||||||
text: 'super comment'
|
|
||||||
}
|
|
||||||
await makePostBodyRequest({
|
await makePostBodyRequest({
|
||||||
url: server.url,
|
url: server.url,
|
||||||
path: pathThread,
|
path: pathThread,
|
||||||
|
|
@ -230,6 +244,7 @@ describe('Test video comments API validator', function () {
|
||||||
})
|
})
|
||||||
|
|
||||||
describe('When adding a comment to a thread', function () {
|
describe('When adding a comment to a thread', function () {
|
||||||
|
|
||||||
it('Should fail with a non authenticated user', async function () {
|
it('Should fail with a non authenticated user', async function () {
|
||||||
const fields = {
|
const fields = {
|
||||||
text: 'text'
|
text: 'text'
|
||||||
|
|
@ -276,6 +291,18 @@ describe('Test video comments API validator', function () {
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
it('Should fail with a private video of another user', async function () {
|
||||||
|
const fields = { text: 'super comment' }
|
||||||
|
|
||||||
|
await makePostBodyRequest({
|
||||||
|
url: server.url,
|
||||||
|
path: '/api/v1/videos/' + privateVideo.uuid + '/comments/' + privateCommentId,
|
||||||
|
token: userAccessToken,
|
||||||
|
fields,
|
||||||
|
expectedStatus: HttpStatusCode.FORBIDDEN_403
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
it('Should fail with an incorrect comment', async function () {
|
it('Should fail with an incorrect comment', async function () {
|
||||||
const path = '/api/v1/videos/' + video.uuid + '/comments/124'
|
const path = '/api/v1/videos/' + video.uuid + '/comments/124'
|
||||||
const fields = {
|
const fields = {
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,7 @@ describe('Test videos API validator', function () {
|
||||||
let channelId: number
|
let channelId: number
|
||||||
let channelName: string
|
let channelName: string
|
||||||
let video: VideoCreateResult
|
let video: VideoCreateResult
|
||||||
|
let privateVideo: VideoCreateResult
|
||||||
|
|
||||||
// ---------------------------------------------------------------
|
// ---------------------------------------------------------------
|
||||||
|
|
||||||
|
|
@ -49,6 +50,10 @@ describe('Test videos API validator', function () {
|
||||||
channelName = body.videoChannels[0].name
|
channelName = body.videoChannels[0].name
|
||||||
accountName = body.account.name + '@' + body.account.host
|
accountName = body.account.name + '@' + body.account.host
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
privateVideo = await server.videos.quickUpload({ name: 'private video', privacy: VideoPrivacy.PRIVATE })
|
||||||
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
describe('When listing videos', function () {
|
describe('When listing videos', function () {
|
||||||
|
|
@ -783,6 +788,19 @@ describe('Test videos API validator', function () {
|
||||||
await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields })
|
await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields })
|
||||||
})
|
})
|
||||||
|
|
||||||
|
it('Should fail with a private video of another user', async function () {
|
||||||
|
const fields = {
|
||||||
|
rating: 'like'
|
||||||
|
}
|
||||||
|
await makePutBodyRequest({
|
||||||
|
url: server.url,
|
||||||
|
path: path + privateVideo.uuid + '/rate',
|
||||||
|
token: userAccessToken,
|
||||||
|
fields,
|
||||||
|
expectedStatus: HttpStatusCode.FORBIDDEN_403
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
it('Should succeed with the correct parameters', async function () {
|
it('Should succeed with the correct parameters', async function () {
|
||||||
const fields = {
|
const fields = {
|
||||||
rating: 'like'
|
rating: 'like'
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue