}
isUpdatableBy (user: AuthUser) {
- return user && this.isLocal === true && user.username === this.accountName
+ return user && this.isLocal === true && (this.accountName === user.username || user.hasRight(UserRight.UPDATE_ANY_VIDEO))
}
}
this.serverService.videoPrivaciesLoaded
.subscribe(() => this.videoPrivacies = this.serverService.getVideoPrivacies())
- populateAsyncUserVideoChannels(this.authService, this.userVideoChannels)
- .catch(err => console.error('Cannot populate async user video channels.', err))
-
const uuid: string = this.route.snapshot.params['uuid']
this.videoService.getVideo(uuid)
.switchMap(video => {
video => {
this.video = new VideoEdit(video)
+ this.userVideoChannels = [
+ {
+ id: video.channel.id,
+ label: video.channel.displayName
+ }
+ ]
+
// We cannot set private a video that was not private
if (video.privacy !== VideoPrivacy.PRIVATE) {
const newVideoPrivacies = []
const video = res.locals.video
- // We need to make additional checks
- if (video.isOwned() === false) {
- return res.status(403)
- .json({ error: 'Cannot update video of another server' })
- .end()
- }
-
- if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
- return res.status(403)
- .json({ error: 'Cannot update video of another user' })
- .end()
- }
+ // Check if the user who did the request is able to update the video
+ if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.UPDATE_ANY_VIDEO, res)) return
if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) {
return res.status(409)
if (!await isVideoExist(req.params.id, res)) return
// Check if the user who did the request is able to delete the video
- if (!checkUserCanDeleteVideo(res.locals.oauth.token.User, res.locals.video, res)) return
+ if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.REMOVE_ANY_VIDEO, res)) return
return next()
}
// ---------------------------------------------------------------------------
-function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: express.Response) {
+function checkUserCanManageVideo (user: UserModel, video: VideoModel, right: UserRight, res: express.Response) {
// Retrieve the user who did the request
if (video.isOwned() === false) {
res.status(403)
// The user can delete it if he has the right
// Or if s/he is the video's account
const account = video.VideoChannel.Account
- if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) {
+ if (user.hasRight(right) === false && account.userId !== user.id) {
res.status(403)
.json({ error: 'Cannot remove video of another user' })
.end()
describe('Test videos API validator', function () {
const path = '/api/v1/videos/'
let server: ServerInfo
+ let userAccessToken = ''
let channelId: number
+ let videoId
// ---------------------------------------------------------------
await setAccessTokensToServers([ server ])
+ const username = 'user1'
+ const password = 'my super password'
+ await createUser(server.url, server.accessToken, username, password)
+ userAccessToken = await userLogin(server, { username, password })
+
const res = await getMyUserInformation(server.url, server.accessToken)
channelId = res.body.videoChannels[0].id
})
privacy: VideoPrivacy.PUBLIC,
tags: [ 'tag1', 'tag2' ]
}
- let videoId
before(async function () {
const res = await getVideosList(server.url)
- videoId = res.body.data[0].id
+ videoId = res.body.data[0].uuid
})
it('Should fail with nothing', async function () {
})
})
- it('Should fail with a video of another user')
+ it('Should fail with a video of another user without the appropriate right', async function () {
+ const fields = baseCorrectParams
+
+ await makePutBodyRequest({ url: server.url, path: path + videoId, token: userAccessToken, fields, statusCodeExpected: 403 })
+ })
it('Should fail with a video of another server')
await getVideo(server.url, '4da6fde3-88f7-4d16-b119-108df5630b06', 404)
})
- it('Should succeed with the correct parameters')
+ it('Should succeed with the correct parameters', async function () {
+ await getVideo(server.url, videoId)
+ })
})
describe('When rating a video', function () {
await removeVideo(server.url, server.accessToken, '4da6fde3-88f7-4d16-b119-108df5630b06', 404)
})
- it('Should fail with a video of another user')
+ it('Should fail with a video of another user without the appropriate right', async function () {
+ await removeVideo(server.url, userAccessToken, videoId, 403)
+ })
it('Should fail with a video of another server')
- it('Should succeed with the correct parameters')
+ it('Should succeed with the correct parameters', async function () {
+ await removeVideo(server.url, server.accessToken, videoId)
+ })
})
after(async function () {
MANAGE_CONFIGURATION,
REMOVE_ANY_VIDEO,
REMOVE_ANY_VIDEO_CHANNEL,
- REMOVE_ANY_VIDEO_COMMENT
+ REMOVE_ANY_VIDEO_COMMENT,
+ UPDATE_ANY_VIDEO
}
UserRight.MANAGE_VIDEO_ABUSES,
UserRight.REMOVE_ANY_VIDEO,
UserRight.REMOVE_ANY_VIDEO_CHANNEL,
- UserRight.REMOVE_ANY_VIDEO_COMMENT
+ UserRight.REMOVE_ANY_VIDEO_COMMENT,
+ UserRight.UPDATE_ANY_VIDEO
],
[UserRole.USER]: []
projects / oweals / peertube.git / commitdiff