From 945ba268fbfe69047361113e15e8d90e9d0e6679 Mon Sep 17 00:00:00 2001 From: Isaac Abadi Date: Wed, 12 Aug 2020 16:23:28 -0400 Subject: [PATCH] Fixed bug where non-shared videos could be viewed by others Fixed bug where non-users couldn't download a shared video --- backend/app.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/backend/app.js b/backend/app.js index d75d7bf..c088ad6 100644 --- a/backend/app.js +++ b/backend/app.js @@ -1866,7 +1866,8 @@ const optionalJwt = function (req, res, next) { const uuid = using_body ? req.body.uuid : req.query.uuid; const uid = using_body ? req.body.uid : req.query.uid; const type = using_body ? req.body.type : req.query.type; - const is_shared = !req.query.id ? auth_api.getUserVideo(uuid, uid, type, true) : auth_api.getUserPlaylist(uuid, req.query.id, null, true); + const file = !req.query.id ? auth_api.getUserVideo(uuid, uid, type, true, req.body) : auth_api.getUserPlaylist(uuid, req.query.id, null, true); + const is_shared = file ? file['sharingEnabled'] : false; if (is_shared) { req.can_watch = true; return next(); @@ -2579,9 +2580,10 @@ app.post('/api/downloadFile', optionalJwt, async (req, res) => { let base_path = fileFolderPath; let usersFileFolder = null; - if (req.isAuthenticated()) { + const multiUserMode = config_api.getConfigItem('ytdl_multi_user_mode'); + if (multiUserMode && req.body.uuid) { usersFileFolder = config_api.getConfigItem('ytdl_users_base_path'); - base_path = path.join(usersFileFolder, req.user.uid, type); + base_path = path.join(usersFileFolder, req.body.uuid, type); } if (!subscriptionName) { file = path.join(__dirname, base_path, fileNames + ext);