Check video privacy when creating comments/rates

pull/4813/head
Chocobozzz 2022-02-22 14:16:34 +01:00
parent fdd5da058a
commit 6ea9295b8f
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
4 changed files with 75 additions and 7 deletions

View File

@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [
if (areValidationErrors(req, res)) return
if (!await doesVideoExist(req.params.videoId, res)) return
if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'Cannot access to this ressource'
})
}
if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [
if (areValidationErrors(req, res)) return
if (!await doesVideoExist(req.params.videoId, res)) return
if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'Cannot access to this ressource'
})
}
if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return

View File

@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
import { logger } from '../../../helpers/logger'
import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared'
import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared'
const videoUpdateRateValidator = [
isValidVideoIdParam('id'),
@ -21,6 +21,13 @@ const videoUpdateRateValidator = [
if (areValidationErrors(req, res)) return
if (!await doesVideoExist(req.params.id, res)) return
if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'Cannot access to this ressource'
})
}
return next()
}
]

View File

@ -19,10 +19,14 @@ const expect = chai.expect
describe('Test video comments API validator', function () {
let pathThread: string
let pathComment: string
let server: PeerTubeServer
let video: VideoCreateResult
let userAccessToken: string
let userAccessToken2: string
let commentId: number
let privateCommentId: number
let privateVideo: VideoCreateResult
@ -203,9 +207,8 @@ describe('Test video comments API validator', function () {
it('Should fail with an incorrect video', async function () {
const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads'
const fields = {
text: 'super comment'
}
const fields = { text: 'super comment' }
await makePostBodyRequest({
url: server.url,
path,
@ -215,10 +218,21 @@ describe('Test video comments API validator', function () {
})
})
it('Should fail with a private video of another user', async function () {
const fields = { text: 'super comment' }
await makePostBodyRequest({
url: server.url,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
token: userAccessToken,
fields,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})
it('Should succeed with the correct parameters', async function () {
const fields = {
text: 'super comment'
}
const fields = { text: 'super comment' }
await makePostBodyRequest({
url: server.url,
path: pathThread,
@ -230,6 +244,7 @@ describe('Test video comments API validator', function () {
})
describe('When adding a comment to a thread', function () {
it('Should fail with a non authenticated user', async function () {
const fields = {
text: 'text'
@ -276,6 +291,18 @@ describe('Test video comments API validator', function () {
})
})
it('Should fail with a private video of another user', async function () {
const fields = { text: 'super comment' }
await makePostBodyRequest({
url: server.url,
path: '/api/v1/videos/' + privateVideo.uuid + '/comments/' + privateCommentId,
token: userAccessToken,
fields,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})
it('Should fail with an incorrect comment', async function () {
const path = '/api/v1/videos/' + video.uuid + '/comments/124'
const fields = {

View File

@ -28,6 +28,7 @@ describe('Test videos API validator', function () {
let channelId: number
let channelName: string
let video: VideoCreateResult
let privateVideo: VideoCreateResult
// ---------------------------------------------------------------
@ -49,6 +50,10 @@ describe('Test videos API validator', function () {
channelName = body.videoChannels[0].name
accountName = body.account.name + '@' + body.account.host
}
{
privateVideo = await server.videos.quickUpload({ name: 'private video', privacy: VideoPrivacy.PRIVATE })
}
})
describe('When listing videos', function () {
@ -783,6 +788,19 @@ describe('Test videos API validator', function () {
await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields })
})
it('Should fail with a private video of another user', async function () {
const fields = {
rating: 'like'
}
await makePutBodyRequest({
url: server.url,
path: path + privateVideo.uuid + '/rate',
token: userAccessToken,
fields,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})
it('Should succeed with the correct parameters', async function () {
const fields = {
rating: 'like'