Server: do not allow a user to remove a video of another user

diff --git a/client/tsconfig.json b/client/tsconfig.json
index e2d61851e6b8cf24f70314cad4897520677015b4..b10231b7b16bf30ff7b68877aa1f3e9fcd24afc1 100644 (file)
--- a/client/tsconfig.json
+++ b/client/tsconfig.json
@@ -49,8 +49,6 @@
     "src/app/shared/search/search.component.ts",
     "src/app/shared/search/search.model.ts",
     "src/app/shared/search/search.service.ts",
-    "src/app/shared/user/index.ts",
-    "src/app/shared/user/user.service.ts",
     "src/app/videos/index.ts",
     "src/app/videos/shared/index.ts",
     "src/app/videos/shared/loader/index.ts",

diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 9d21ee16fc997d536a3d0abfb44000bc5a1b819f..e51087d5af9edabcc9825a955721210a5f5c59f6 100644 (file)
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -77,6 +77,7 @@ function videosRemove (req, res, next) {
 
       if (!video) return res.status(404).send('Video not found')
       else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod')
+      else if (video.author !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user')
 
       next()
     })

diff --git a/server/tests/api/checkParams.js b/server/tests/api/checkParams.js
index 8b49f5f36b87dac3fcd5dec4a70ee0668614e5b2..e489df27765f2c37160d62a9378bce610f19d59d 100644 (file)
--- a/server/tests/api/checkParams.js
+++ b/server/tests/api/checkParams.js
@@ -496,6 +496,8 @@ describe('Test parameters validator', function () {
           .expect(404, done)
       })
 
+      it('Should fail with a video of another user')
+
       it('Should fail with a video of another pod')
 
       it('Should succeed with the correct parameters')