From 84c8d9866890f479faf0168c29be5eb7816ccc8e Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Mon, 10 Jan 2022 16:07:21 +0100 Subject: [PATCH] Don't display comments of private/internal videos --- .../validators/videos/video-comments.ts | 23 ++++++- .../tests/api/check-params/video-comments.ts | 63 ++++++++++++++++++- 2 files changed, 84 insertions(+), 2 deletions(-) diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts index 3ea8bdcbb..04e7b6973 100644 --- a/server/middlewares/validators/videos/video-comments.ts +++ b/server/middlewares/validators/videos/video-comments.ts @@ -9,7 +9,14 @@ import { logger } from '../../../helpers/logger' import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation' import { Hooks } from '../../../lib/plugins/hooks' import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video' -import { areValidationErrors, doesVideoCommentExist, doesVideoCommentThreadExist, doesVideoExist, isValidVideoIdParam } from '../shared' +import { + areValidationErrors, + checkCanSeeVideoIfPrivate, + doesVideoCommentExist, + doesVideoCommentThreadExist, + doesVideoExist, + isValidVideoIdParam +} from '../shared' const listVideoCommentsValidator = [ query('isLocal') @@ -48,6 +55,13 @@ const listVideoCommentThreadsValidator = [ if (areValidationErrors(req, res)) return if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return + if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) { + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Cannot list comments of private/internal/blocklisted video' + }) + } + return next() } ] @@ -65,6 +79,13 @@ const listVideoThreadCommentsValidator = [ if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return + if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) { + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Cannot list threads of private/internal/blocklisted video' + }) + } + return next() } ] diff --git a/server/tests/api/check-params/video-comments.ts b/server/tests/api/check-params/video-comments.ts index 2d9ee1e0d..8d63fe70c 100644 --- a/server/tests/api/check-params/video-comments.ts +++ b/server/tests/api/check-params/video-comments.ts @@ -14,7 +14,7 @@ import { PeerTubeServer, setAccessTokensToServers } from '@shared/extra-utils' -import { HttpStatusCode, VideoCreateResult } from '@shared/models' +import { HttpStatusCode, VideoCreateResult, VideoPrivacy } from '@shared/models' const expect = chai.expect @@ -26,6 +26,8 @@ describe('Test video comments API validator', function () { let userAccessToken: string let userAccessToken2: string let commentId: number + let privateCommentId: number + let privateVideo: VideoCreateResult // --------------------------------------------------------------- @@ -41,12 +43,21 @@ describe('Test video comments API validator', function () { pathThread = '/api/v1/videos/' + video.uuid + '/comment-threads' } + { + privateVideo = await server.videos.upload({ attributes: { privacy: VideoPrivacy.PRIVATE } }) + } + { const created = await server.comments.createThread({ videoId: video.uuid, text: 'coucou' }) commentId = created.id pathComment = '/api/v1/videos/' + video.uuid + '/comments/' + commentId } + { + const created = await server.comments.createThread({ videoId: privateVideo.uuid, text: 'coucou' }) + privateCommentId = created.id + } + { const user = { username: 'user1', password: 'my super password' } await server.users.create({ username: user.username, password: user.password }) @@ -80,6 +91,32 @@ describe('Test video comments API validator', function () { expectedStatus: HttpStatusCode.NOT_FOUND_404 }) }) + + it('Should fail with a private video without token', async function () { + await makeGetRequest({ + url: server.url, + path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads', + expectedStatus: HttpStatusCode.UNAUTHORIZED_401 + }) + }) + + it('Should fail with another user token', async function () { + await makeGetRequest({ + url: server.url, + token: userAccessToken, + path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads', + expectedStatus: HttpStatusCode.FORBIDDEN_403 + }) + }) + + it('Should succeed with the correct params', async function () { + await makeGetRequest({ + url: server.url, + token: server.accessToken, + path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads', + expectedStatus: HttpStatusCode.OK_200 + }) + }) }) describe('When listing comments of a thread', function () { @@ -99,7 +136,31 @@ describe('Test video comments API validator', function () { }) }) + it('Should fail with a private video without token', async function () { + await makeGetRequest({ + url: server.url, + path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId, + expectedStatus: HttpStatusCode.UNAUTHORIZED_401 + }) + }) + + it('Should fail with another user token', async function () { + await makeGetRequest({ + url: server.url, + token: userAccessToken, + path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId, + expectedStatus: HttpStatusCode.FORBIDDEN_403 + }) + }) + it('Should success with the correct params', async function () { + await makeGetRequest({ + url: server.url, + token: server.accessToken, + path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId, + expectedStatus: HttpStatusCode.OK_200 + }) + await makeGetRequest({ url: server.url, path: '/api/v1/videos/' + video.shortUUID + '/comment-threads/' + commentId,