Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Check video privacy when creating comments/rates
  • Loading branch information
Chocobozzz committed Feb 22, 2022
1 parent fdd5da0 commit 6ea9295
Show file tree
Hide file tree
Showing 4 changed files with 75 additions and 7 deletions.
16 changes: 16 additions & 0 deletions server/middlewares/validators/videos/video-comments.ts
Expand Up @@ -100,6 +100,14 @@ const addVideoCommentThreadValidator = [

if (areValidationErrors(req, res)) return
if (!await doesVideoExist(req.params.videoId, res)) return

if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'Cannot access to this ressource'
})
}

if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return

Expand All @@ -119,6 +127,14 @@ const addVideoCommentReplyValidator = [

if (areValidationErrors(req, res)) return
if (!await doesVideoExist(req.params.videoId, res)) return

if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'Cannot access to this ressource'
})
}

if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
Expand Down
9 changes: 8 additions & 1 deletion server/middlewares/validators/videos/video-rates.ts
Expand Up @@ -8,7 +8,7 @@ import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
import { logger } from '../../../helpers/logger'
import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
import { areValidationErrors, doesVideoExist, isValidVideoIdParam } from '../shared'
import { areValidationErrors, checkCanSeeVideoIfPrivate, doesVideoExist, isValidVideoIdParam } from '../shared'

const videoUpdateRateValidator = [
isValidVideoIdParam('id'),
Expand All @@ -21,6 +21,13 @@ const videoUpdateRateValidator = [
if (areValidationErrors(req, res)) return
if (!await doesVideoExist(req.params.id, res)) return

if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'Cannot access to this ressource'
})
}

return next()
}
]
Expand Down
39 changes: 33 additions & 6 deletions server/tests/api/check-params/video-comments.ts
Expand Up @@ -19,10 +19,14 @@ const expect = chai.expect
describe('Test video comments API validator', function () {
let pathThread: string
let pathComment: string

let server: PeerTubeServer

let video: VideoCreateResult

let userAccessToken: string
let userAccessToken2: string

let commentId: number
let privateCommentId: number
let privateVideo: VideoCreateResult
Expand Down Expand Up @@ -203,9 +207,8 @@ describe('Test video comments API validator', function () {

it('Should fail with an incorrect video', async function () {
const path = '/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads'
const fields = {
text: 'super comment'
}
const fields = { text: 'super comment' }

await makePostBodyRequest({
url: server.url,
path,
Expand All @@ -215,10 +218,21 @@ describe('Test video comments API validator', function () {
})
})

it('Should fail with a private video of another user', async function () {
const fields = { text: 'super comment' }

await makePostBodyRequest({
url: server.url,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
token: userAccessToken,
fields,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})

it('Should succeed with the correct parameters', async function () {
const fields = {
text: 'super comment'
}
const fields = { text: 'super comment' }

await makePostBodyRequest({
url: server.url,
path: pathThread,
Expand All @@ -230,6 +244,7 @@ describe('Test video comments API validator', function () {
})

describe('When adding a comment to a thread', function () {

it('Should fail with a non authenticated user', async function () {
const fields = {
text: 'text'
Expand Down Expand Up @@ -276,6 +291,18 @@ describe('Test video comments API validator', function () {
})
})

it('Should fail with a private video of another user', async function () {
const fields = { text: 'super comment' }

await makePostBodyRequest({
url: server.url,
path: '/api/v1/videos/' + privateVideo.uuid + '/comments/' + privateCommentId,
token: userAccessToken,
fields,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})

it('Should fail with an incorrect comment', async function () {
const path = '/api/v1/videos/' + video.uuid + '/comments/124'
const fields = {
Expand Down
18 changes: 18 additions & 0 deletions server/tests/api/check-params/videos.ts
Expand Up @@ -28,6 +28,7 @@ describe('Test videos API validator', function () {
let channelId: number
let channelName: string
let video: VideoCreateResult
let privateVideo: VideoCreateResult

// ---------------------------------------------------------------

Expand All @@ -49,6 +50,10 @@ describe('Test videos API validator', function () {
channelName = body.videoChannels[0].name
accountName = body.account.name + '@' + body.account.host
}

{
privateVideo = await server.videos.quickUpload({ name: 'private video', privacy: VideoPrivacy.PRIVATE })
}
})

describe('When listing videos', function () {
Expand Down Expand Up @@ -783,6 +788,19 @@ describe('Test videos API validator', function () {
await makePutBodyRequest({ url: server.url, path: path + videoId + '/rate', token: server.accessToken, fields })
})

it('Should fail with a private video of another user', async function () {
const fields = {
rating: 'like'
}
await makePutBodyRequest({
url: server.url,
path: path + privateVideo.uuid + '/rate',
token: userAccessToken,
fields,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})

it('Should succeed with the correct parameters', async function () {
const fields = {
rating: 'like'
Expand Down

0 comments on commit 6ea9295

Please sign in to comment.