Merge branch 'release/4.0.0' into develop

pull/4711/head
Chocobozzz 2022-01-10 16:17:46 +01:00
commit 3318147300
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
2 changed files with 84 additions and 2 deletions

View File

@ -8,7 +8,14 @@ import { logger } from '../../../helpers/logger'
import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
import { Hooks } from '../../../lib/plugins/hooks'
import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
import { areValidationErrors, doesVideoCommentExist, doesVideoCommentThreadExist, doesVideoExist, isValidVideoIdParam } from '../shared'
import {
areValidationErrors,
checkCanSeeVideoIfPrivate,
doesVideoCommentExist,
doesVideoCommentThreadExist,
doesVideoExist,
isValidVideoIdParam
} from '../shared'
const listVideoCommentsValidator = [
query('isLocal')
@ -47,6 +54,13 @@ const listVideoCommentThreadsValidator = [
if (areValidationErrors(req, res)) return
if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'Cannot list comments of private/internal/blocklisted video'
})
}
return next()
}
]
@ -64,6 +78,13 @@ const listVideoThreadCommentsValidator = [
if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return
if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'Cannot list threads of private/internal/blocklisted video'
})
}
return next()
}
]

View File

@ -3,7 +3,7 @@
import 'mocha'
import * as chai from 'chai'
import { checkBadCountPagination, checkBadSortPagination, checkBadStartPagination } from '@server/tests/shared'
import { HttpStatusCode, VideoCreateResult } from '@shared/models'
import { HttpStatusCode, VideoCreateResult, VideoPrivacy } from '@shared/models'
import {
cleanupTests,
createSingleServer,
@ -24,6 +24,8 @@ describe('Test video comments API validator', function () {
let userAccessToken: string
let userAccessToken2: string
let commentId: number
let privateCommentId: number
let privateVideo: VideoCreateResult
// ---------------------------------------------------------------
@ -39,12 +41,21 @@ describe('Test video comments API validator', function () {
pathThread = '/api/v1/videos/' + video.uuid + '/comment-threads'
}
{
privateVideo = await server.videos.upload({ attributes: { privacy: VideoPrivacy.PRIVATE } })
}
{
const created = await server.comments.createThread({ videoId: video.uuid, text: 'coucou' })
commentId = created.id
pathComment = '/api/v1/videos/' + video.uuid + '/comments/' + commentId
}
{
const created = await server.comments.createThread({ videoId: privateVideo.uuid, text: 'coucou' })
privateCommentId = created.id
}
{
const user = { username: 'user1', password: 'my super password' }
await server.users.create({ username: user.username, password: user.password })
@ -78,6 +89,32 @@ describe('Test video comments API validator', function () {
expectedStatus: HttpStatusCode.NOT_FOUND_404
})
})
it('Should fail with a private video without token', async function () {
await makeGetRequest({
url: server.url,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
expectedStatus: HttpStatusCode.UNAUTHORIZED_401
})
})
it('Should fail with another user token', async function () {
await makeGetRequest({
url: server.url,
token: userAccessToken,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})
it('Should succeed with the correct params', async function () {
await makeGetRequest({
url: server.url,
token: server.accessToken,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
expectedStatus: HttpStatusCode.OK_200
})
})
})
describe('When listing comments of a thread', function () {
@ -97,7 +134,31 @@ describe('Test video comments API validator', function () {
})
})
it('Should fail with a private video without token', async function () {
await makeGetRequest({
url: server.url,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
expectedStatus: HttpStatusCode.UNAUTHORIZED_401
})
})
it('Should fail with another user token', async function () {
await makeGetRequest({
url: server.url,
token: userAccessToken,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})
it('Should success with the correct params', async function () {
await makeGetRequest({
url: server.url,
token: server.accessToken,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
expectedStatus: HttpStatusCode.OK_200
})
await makeGetRequest({
url: server.url,
path: '/api/v1/videos/' + video.shortUUID + '/comment-threads/' + commentId,