Browse Source

Merge branch 'release/4.0.0' into develop

tags/v4.1.0-rc.1
Chocobozzz 5 months ago
parent
commit
3318147300
No known key found for this signature in database GPG Key ID: 583A612D890159BE
2 changed files with 84 additions and 2 deletions
  1. +22
    -1
      server/middlewares/validators/videos/video-comments.ts
  2. +62
    -1
      server/tests/api/check-params/video-comments.ts

+ 22
- 1
server/middlewares/validators/videos/video-comments.ts View File

@@ -8,7 +8,14 @@ import { logger } from '../../../helpers/logger'
import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
import { Hooks } from '../../../lib/plugins/hooks'
import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
import { areValidationErrors, doesVideoCommentExist, doesVideoCommentThreadExist, doesVideoExist, isValidVideoIdParam } from '../shared'
import {
areValidationErrors,
checkCanSeeVideoIfPrivate,
doesVideoCommentExist,
doesVideoCommentThreadExist,
doesVideoExist,
isValidVideoIdParam
} from '../shared'

const listVideoCommentsValidator = [
query('isLocal')
@@ -47,6 +54,13 @@ const listVideoCommentThreadsValidator = [
if (areValidationErrors(req, res)) return
if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return

if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'Cannot list comments of private/internal/blocklisted video'
})
}

return next()
}
]
@@ -64,6 +78,13 @@ const listVideoThreadCommentsValidator = [
if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return

if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'Cannot list threads of private/internal/blocklisted video'
})
}

return next()
}
]


+ 62
- 1
server/tests/api/check-params/video-comments.ts View File

@@ -3,7 +3,7 @@
import 'mocha'
import * as chai from 'chai'
import { checkBadCountPagination, checkBadSortPagination, checkBadStartPagination } from '@server/tests/shared'
import { HttpStatusCode, VideoCreateResult } from '@shared/models'
import { HttpStatusCode, VideoCreateResult, VideoPrivacy } from '@shared/models'
import {
cleanupTests,
createSingleServer,
@@ -24,6 +24,8 @@ describe('Test video comments API validator', function () {
let userAccessToken: string
let userAccessToken2: string
let commentId: number
let privateCommentId: number
let privateVideo: VideoCreateResult

// ---------------------------------------------------------------

@@ -39,12 +41,21 @@ describe('Test video comments API validator', function () {
pathThread = '/api/v1/videos/' + video.uuid + '/comment-threads'
}

{
privateVideo = await server.videos.upload({ attributes: { privacy: VideoPrivacy.PRIVATE } })
}

{
const created = await server.comments.createThread({ videoId: video.uuid, text: 'coucou' })
commentId = created.id
pathComment = '/api/v1/videos/' + video.uuid + '/comments/' + commentId
}

{
const created = await server.comments.createThread({ videoId: privateVideo.uuid, text: 'coucou' })
privateCommentId = created.id
}

{
const user = { username: 'user1', password: 'my super password' }
await server.users.create({ username: user.username, password: user.password })
@@ -78,6 +89,32 @@ describe('Test video comments API validator', function () {
expectedStatus: HttpStatusCode.NOT_FOUND_404
})
})

it('Should fail with a private video without token', async function () {
await makeGetRequest({
url: server.url,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
expectedStatus: HttpStatusCode.UNAUTHORIZED_401
})
})

it('Should fail with another user token', async function () {
await makeGetRequest({
url: server.url,
token: userAccessToken,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})

it('Should succeed with the correct params', async function () {
await makeGetRequest({
url: server.url,
token: server.accessToken,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads',
expectedStatus: HttpStatusCode.OK_200
})
})
})

describe('When listing comments of a thread', function () {
@@ -97,7 +134,31 @@ describe('Test video comments API validator', function () {
})
})

it('Should fail with a private video without token', async function () {
await makeGetRequest({
url: server.url,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
expectedStatus: HttpStatusCode.UNAUTHORIZED_401
})
})

it('Should fail with another user token', async function () {
await makeGetRequest({
url: server.url,
token: userAccessToken,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})

it('Should success with the correct params', async function () {
await makeGetRequest({
url: server.url,
token: server.accessToken,
path: '/api/v1/videos/' + privateVideo.shortUUID + '/comment-threads/' + privateCommentId,
expectedStatus: HttpStatusCode.OK_200
})

await makeGetRequest({
url: server.url,
path: '/api/v1/videos/' + video.shortUUID + '/comment-threads/' + commentId,


Loading…
Cancel
Save