Don't display comments of private/internal videos

2022-01-10 16:07:21 +01:00 · 2022-01-10 16:07:21 +01:00 · 84c8d98668
parent 795212f7ac
commit 84c8d98668
2 changed files with 84 additions and 2 deletions
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@ -9,7 +9,14 @@ import { logger } from '../../../helpers/logger'
 import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
 import { Hooks } from '../../../lib/plugins/hooks'
 import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
-import { areValidationErrors, doesVideoCommentExist, doesVideoCommentThreadExist, doesVideoExist, isValidVideoIdParam } from '../shared'
+import {
+  areValidationErrors,
+  checkCanSeeVideoIfPrivate,
+  doesVideoCommentExist,
+  doesVideoCommentThreadExist,
+  doesVideoExist,
+  isValidVideoIdParam
+} from '../shared'

 const listVideoCommentsValidator = [
  query('isLocal')
@ -48,6 +55,13 @@ const listVideoCommentThreadsValidator = [
    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return

+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot list comments of private/internal/blocklisted video'
+      })
+    }
+
    return next()
  }
 ]
@ -65,6 +79,13 @@ const listVideoThreadCommentsValidator = [
    if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
    if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return

+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot list threads of private/internal/blocklisted video'
+      })
+    }
+
    return next()
  }
 ]
--- a/server/tests/api/check-params/video-comments.ts
+++ b/server/tests/api/check-params/video-comments.ts
@ -14,7 +14,7 @@ import {
  PeerTubeServer,
  setAccessTokensToServers
 } from '@shared/extra-utils'
-import { HttpStatusCode, VideoCreateResult } from '@shared/models'
+import { HttpStatusCode, VideoCreateResult, VideoPrivacy } from '@shared/models'

 const expect = chai.expect

@ -26,6 +26,8 @@ describe('Test video comments API validator', function () {
  let userAccessToken: string
  let userAccessToken2: string
  let commentId: number
+  let privateCommentId: number
+  let privateVideo: VideoCreateResult

  // ---------------------------------------------------------------

@ -41,12 +43,21 @@ describe('Test video comments API validator', function () {
      pathThread = '/api/v1/videos/' + video.uuid + '/comment-threads'
    }

+    {
+      privateVideo = await server.videos.upload({ attributes: { privacy: VideoPrivacy.PRIVATE } })
+    }
+
    {
      const created = await server.comments.createThread({ videoId: video.uuid, text: 'coucou' })
      commentId = created.id
      pathComment = '/api/v1/videos/' + video.uuid + '/comments/' + commentId
    }

+    {
+      const created = await server.comments.createThread({ videoId: privateVideo.uuid, text: 'coucou' })
+      privateCommentId = created.id
+    }
+
    {
      const user = { username: 'user1', password: 'my super password' }
      await server.users.create({ username: user.username, password: user.password })
@ -80,6 +91,32 @@ describe('Test video comments API validator', function () {
        expectedStatus: HttpStatusCode.NOT_FOUND_404
      })
    })
+
+    it('Should fail with a private video without token', async function () {
+      await makeGetRequest({
+        url: server.url,
+        path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
+        expectedStatus: HttpStatusCode.UNAUTHORIZED_401
+      })
+    })
+
+    it('Should fail with another user token', async function () {
+      await makeGetRequest({
+        url: server.url,
+        token: userAccessToken,
+        path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should succeed with the correct params', async function () {
+      await makeGetRequest({
+        url: server.url,
+        token: server.accessToken,
+        path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
+        expectedStatus: HttpStatusCode.OK_200
+      })
+    })
  })

  describe('When listing comments of a thread', function () {
@ -99,7 +136,31 @@ describe('Test video comments API validator', function () {
      })
    })

+    it('Should fail with a private video without token', async function () {
+      await makeGetRequest({
+        url: server.url,
+        path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
+        expectedStatus: HttpStatusCode.UNAUTHORIZED_401
+      })
+    })
+
+    it('Should fail with another user token', async function () {
+      await makeGetRequest({
+        url: server.url,
+        token: userAccessToken,
+        path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
    it('Should success with the correct params', async function () {
+      await makeGetRequest({
+        url: server.url,
+        token: server.accessToken,
+        path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
+        expectedStatus: HttpStatusCode.OK_200
+      })
+
      await makeGetRequest({
        url: server.url,
        path: '/api/v1/videos/' + video.shortUUID + '/comment-threads/' + commentId,