Check channel sync id is owned by channel

server/middlewares/validators/videos/video-channels.ts

@@ -166,6 +166,13 @@ export const videoChannelImportVideosValidator = [
 
     if (body.videoChannelSyncId && !await doesVideoChannelSyncIdExist(body.videoChannelSyncId, res)) return
 
+    if (res.locals.videoChannelSync && res.locals.videoChannelSync.videoChannelId !== res.locals.videoChannel.id) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'This channel sync is not owned by this channel'
+      })
+    }
+
     return next()
   }
 ]

server/tests/api/check-params/channel-import-videos.ts

@@ -17,22 +17,27 @@ describe('Test videos import in a channel API validator', function () {
   const userInfo = {
     accessToken: '',
     channelName: 'fake_channel',
+    channelId: -1,
     id: -1,
     videoQuota: -1,
-    videoQuotaDaily: -1
+    videoQuotaDaily: -1,
+    channelSyncId: -1
   }
   let command: ChannelsCommand
 
   // ---------------------------------------------------------------
 
   before(async function () {
-    this.timeout(30000)
+    this.timeout(120000)
 
     server = await createSingleServer(1)
 
     await setAccessTokensToServers([ server ])
     await setDefaultVideoChannel([ server ])
 
+    await server.config.enableImports()
+    await server.config.enableChannelSync()
+
     const userCreds = {
       username: 'fake',
       password: 'fake_password'
@@ -42,12 +47,27 @@ describe('Test videos import in a channel API validator', function () {
       const user = await server.users.create({ username: userCreds.username, password: userCreds.password })
       userInfo.id = user.id
       userInfo.accessToken = await server.login.getAccessToken(userCreds)
+
+      const info = await server.users.getMyInfo({ token: userInfo.accessToken })
+      userInfo.channelId = info.videoChannels[0].id
+    }
+
+    {
+      const { videoChannelSync } = await server.channelSyncs.create({
+        token: userInfo.accessToken,
+        attributes: {
+          externalChannelUrl: FIXTURE_URLS.youtubeChannel,
+          videoChannelId: userInfo.channelId
+        }
+      })
+      userInfo.channelSyncId = videoChannelSync.id
     }
 
     command = server.channels
   })
 
   it('Should fail when HTTP upload is disabled', async function () {
+    await server.config.disableChannelSync()
     await server.config.disableImports()
 
     await command.importVideos({
@@ -98,6 +118,16 @@ describe('Test videos import in a channel API validator', function () {
     })
   })
 
+  it('Should fail with a sync id of another channel', async function () {
+    await command.importVideos({
+      channelName: server.store.channel.name,
+      externalChannelUrl: FIXTURE_URLS.youtubeChannel,
+      videoChannelSyncId: userInfo.channelSyncId,
+      token: server.accessToken,
+      expectedStatus: HttpStatusCode.FORBIDDEN_403
+    })
+  })
+
   it('Should fail with no authentication', async function () {
     await command.importVideos({
       channelName: server.store.channel.name,