From 6ea9295b8f5dd7cc254202a79aad61c666cc4259 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Tue, 22 Feb 2022 14:16:34 +0100
Subject: [PATCH] Check video privacy when creating comments/rates

---
 .../validators/videos/video-comments.ts       | 16 ++++++++
 .../validators/videos/video-rates.ts          |  9 ++++-
 .../tests/api/check-params/video-comments.ts  | 39 ++++++++++++++++---
 server/tests/api/check-params/videos.ts       | 18 +++++++++
 4 files changed, 75 insertions(+), 7 deletions(-)

diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index 91ae31ec23a..91e85711d3b 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [
 
     if (areValidationErrors(req, res)) return
     if (!await doesVideoExist(req.params.videoId, res)) return
+
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot access to this ressource'
+      })
+    }
+
     if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
     if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
 
@@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [
 
     if (areValidationErrors(req, res)) return
     if (!await doesVideoExist(req.params.videoId, res)) return
+
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot access to this ressource'
+      })
+    }
+
     if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
     if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
     if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts
index 6e0bb0ad1e4..923bf3eaf9f 100644
--- a/server/middlewares/validators/videos/video-rates.ts
+++ b/server/middlewares/validators/videos/video-rates.ts
@@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
 import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
 import { logger } from '../../../helpers/logger'
 import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
-import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared'
+import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared'
 
 const videoUpdateRateValidator = [
   isValidVideoIdParam('id'),
@@ -21,6 +21,13 @@ const videoUpdateRateValidator = [
     if (areValidationErrors(req, res)) return
     if (!await doesVideoExist(req.params.id, res)) return
 
+    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
+      return res.fail({
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'Cannot access to this ressource'
+      })
+    }
+
     return next()
   }
 ]
diff --git a/server/tests/api/check-params/video-comments.ts b/server/tests/api/check-params/video-comments.ts
index 829f3c8b12f..624d657d3d7 100644
--- a/server/tests/api/check-params/video-comments.ts
+++ b/server/tests/api/check-params/video-comments.ts
@@ -19,10 +19,14 @@ const expect = chai.expect
 describe('Test video comments API validator', function () {
   let pathThread: string
   let pathComment: string
+
   let server: PeerTubeServer
+
   let video: VideoCreateResult
+
   let userAccessToken: string
   let userAccessToken2: string
+
   let commentId: number
   let privateCommentId: number
   let privateVideo: VideoCreateResult
@@ -203,9 +207,8 @@ describe('Test video comments API validator', function () {
 
     it('Should fail with an incorrect video', async function () {
       const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads'
-      const fields = {
-        text: 'super comment'
-      }
+      const fields = { text: 'super comment' }
+
       await makePostBodyRequest({
         url: server.url,
         path,
@@ -215,10 +218,21 @@ describe('Test video comments API validator', function () {
       })
     })
 
+    it('Should fail with a private video of another user', async function () {
+      const fields = { text: 'super comment' }
+
+      await makePostBodyRequest({
+        url: server.url,
+        path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
+        token: userAccessToken,
+        fields,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
     it('Should succeed with the correct parameters', async function () {
-      const fields = {
-        text: 'super comment'
-      }
+      const fields = { text: 'super comment' }
+
       await makePostBodyRequest({
         url: server.url,
         path: pathThread,
@@ -230,6 +244,7 @@ describe('Test video comments API validator', function () {
   })
 
   describe('When adding a comment to a thread', function () {
+
     it('Should fail with a non authenticated user', async function () {
       const fields = {
         text: 'text'
@@ -276,6 +291,18 @@ describe('Test video comments API validator', function () {
       })
     })
 
+    it('Should fail with a private video of another user', async function () {
+      const fields = { text: 'super comment' }
+
+      await makePostBodyRequest({
+        url: server.url,
+        path: '/api/v1/videos/' + privateVideo.uuid + '/comments/' + privateCommentId,
+        token: userAccessToken,
+        fields,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
     it('Should fail with an incorrect comment', async function () {
       const path = '/api/v1/videos/' + video.uuid + '/comments/124'
       const fields = {
diff --git a/server/tests/api/check-params/videos.ts b/server/tests/api/check-params/videos.ts
index 4cc70f5cc46..41064d2ffdc 100644
--- a/server/tests/api/check-params/videos.ts
+++ b/server/tests/api/check-params/videos.ts
@@ -28,6 +28,7 @@ describe('Test videos API validator', function () {
   let channelId: number
   let channelName: string
   let video: VideoCreateResult
+  let privateVideo: VideoCreateResult
 
   // ---------------------------------------------------------------
 
@@ -49,6 +50,10 @@ describe('Test videos API validator', function () {
       channelName = body.videoChannels[0].name
       accountName = body.account.name + '@' + body.account.host
     }
+
+    {
+      privateVideo = await server.videos.quickUpload({ name: 'private video', privacy: VideoPrivacy.PRIVATE })
+    }
   })
 
   describe('When listing videos', function () {
@@ -783,6 +788,19 @@ describe('Test videos API validator', function () {
       await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields })
     })
 
+    it('Should fail with a private video of another user', async function () {
+      const fields = {
+        rating: 'like'
+      }
+      await makePutBodyRequest({
+        url: server.url,
+        path: path + privateVideo.uuid + '/rate',
+        token: userAccessToken,
+        fields,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
     it('Should succeed with the correct parameters', async function () {
       const fields = {
         rating: 'like'