From: Chocobozzz Date: Tue, 21 Apr 2020 07:01:39 +0000 (+0200) Subject: Don't leak unlisted videos in comments feed X-Git-Tag: v2.2.0-rc.1~169 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=68b6fd21b19ef17274e84dbb21ad7cfb7bc6c36a;p=oweals%2Fpeertube.git Don't leak unlisted videos in comments feed --- diff --git a/server/controllers/feeds.ts b/server/controllers/feeds.ts index 72628dffb..cb82bfc6d 100644 --- a/server/controllers/feeds.ts +++ b/server/controllers/feeds.ts @@ -67,7 +67,7 @@ async function generateVideoCommentsFeed (req: express.Request, res: express.Res const feed = initFeed(name, description) // Adding video items to the feed, one at a time - comments.forEach(comment => { + for (const comment of comments) { const link = WEBSERVER.URL + comment.getCommentStaticPath() let title = comment.Video.name @@ -89,7 +89,7 @@ async function generateVideoCommentsFeed (req: express.Request, res: express.Res author, date: comment.createdAt }) - }) + } // Now the feed generation is done, let's send it! return sendFeed(feed, req, res) diff --git a/server/models/video/video-comment.ts b/server/models/video/video-comment.ts index b33c33d5e..aedd7a3a9 100644 --- a/server/models/video/video-comment.ts +++ b/server/models/video/video-comment.ts @@ -27,6 +27,7 @@ import { MCommentOwnerVideoReply } from '../../typings/models/video' import { MUserAccountId } from '@server/typings/models' +import { VideoPrivacy } from '@shared/models' enum ScopeNames { WITH_ACCOUNT = 'WITH_ACCOUNT', @@ -390,7 +391,10 @@ export class VideoCommentModel extends Model { { attributes: [ 'name', 'uuid' ], model: VideoModel.unscoped(), - required: true + required: true, + where: { + privacy: VideoPrivacy.PUBLIC + } } ] } diff --git a/server/tests/feeds/feeds.ts b/server/tests/feeds/feeds.ts index 4510177cc..d978123cf 100644 --- a/server/tests/feeds/feeds.ts +++ b/server/tests/feeds/feeds.ts @@ -19,6 +19,7 @@ import * as libxmljs from 'libxmljs' import { addVideoCommentThread } from '../../../shared/extra-utils/videos/video-comments' import { waitJobs } from '../../../shared/extra-utils/server/jobs' import { User } from '../../../shared/models/users' +import { VideoPrivacy } from '@shared/models' chai.use(require('chai-xml')) chai.use(require('chai-json-schema')) @@ -77,6 +78,14 @@ describe('Test syndication feeds', () => { await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'super comment 2') } + { + const videoAttributes = { name: 'unlisted video', privacy: VideoPrivacy.UNLISTED } + const res = await uploadVideo(servers[0].url, servers[0].accessToken, videoAttributes) + const videoId = res.body.video.id + + await addVideoCommentThread(servers[0].url, servers[0].accessToken, videoId, 'comment on unlisted video') + } + await waitJobs(servers) }) @@ -196,7 +205,8 @@ describe('Test syndication feeds', () => { }) describe('Video comments feed', function () { - it('Should contain valid comments (covers JSON feed 1.0 endpoint)', async function () { + + it('Should contain valid comments (covers JSON feed 1.0 endpoint) and not from unlisted videos', async function () { for (const server of servers) { const json = await getJSONfeed(server.url, 'video-comments')