[github/Chocobozzz/PeerTube.git] / server / controllers / api / abuse.ts

import express from 'express'
import { logger } from '@server/helpers/logger'
import { createAccountAbuse, createVideoAbuse, createVideoCommentAbuse } from '@server/lib/moderation'
import { Notifier } from '@server/lib/notifier'
import { AbuseModel } from '@server/models/abuse/abuse'
import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
import { getServerActor } from '@server/models/application/application'
import { abusePredefinedReasonsMap } from '@shared/core-utils/abuse'
import { HttpStatusCode } from '@shared/models'
import { AbuseCreate, AbuseState, UserRight } from '../../../shared'
import { getFormattedObjects } from '../../helpers/utils'
import { sequelizeTypescript } from '../../initializers/database'
import {
  abuseGetValidator,
  abuseListForAdminsValidator,
  abuseReportValidator,
  abusesSortValidator,
  abuseUpdateValidator,
  addAbuseMessageValidator,
  asyncMiddleware,
  asyncRetryTransactionMiddleware,
  authenticate,
  checkAbuseValidForMessagesValidator,
  deleteAbuseMessageValidator,
  ensureUserHasRight,
  getAbuseValidator,
  openapiOperationDoc,
  paginationValidator,
  setDefaultPagination,
  setDefaultSort
} from '../../middlewares'
import { AccountModel } from '../../models/account/account'

const abuseRouter = express.Router()

abuseRouter.get('/',
  openapiOperationDoc({ operationId: 'getAbuses' }),
  authenticate,
  ensureUserHasRight(UserRight.MANAGE_ABUSES),
  paginationValidator,
  abusesSortValidator,
  setDefaultSort,
  setDefaultPagination,
  abuseListForAdminsValidator,
  asyncMiddleware(listAbusesForAdmins)
)
abuseRouter.put('/:id',
  authenticate,
  ensureUserHasRight(UserRight.MANAGE_ABUSES),
  asyncMiddleware(abuseUpdateValidator),
  asyncRetryTransactionMiddleware(updateAbuse)
)
abuseRouter.post('/',
  authenticate,
  asyncMiddleware(abuseReportValidator),
  asyncRetryTransactionMiddleware(reportAbuse)
)
abuseRouter.delete('/:id',
  authenticate,
  ensureUserHasRight(UserRight.MANAGE_ABUSES),
  asyncMiddleware(abuseGetValidator),
  asyncRetryTransactionMiddleware(deleteAbuse)
)

abuseRouter.get('/:id/messages',
  authenticate,
  asyncMiddleware(getAbuseValidator),
  checkAbuseValidForMessagesValidator,
  asyncRetryTransactionMiddleware(listAbuseMessages)
)

abuseRouter.post('/:id/messages',
  authenticate,
  asyncMiddleware(getAbuseValidator),
  checkAbuseValidForMessagesValidator,
  addAbuseMessageValidator,
  asyncRetryTransactionMiddleware(addAbuseMessage)
)

abuseRouter.delete('/:id/messages/:messageId',
  authenticate,
  asyncMiddleware(getAbuseValidator),
  checkAbuseValidForMessagesValidator,
  asyncMiddleware(deleteAbuseMessageValidator),
  asyncRetryTransactionMiddleware(deleteAbuseMessage)
)

// ---------------------------------------------------------------------------

export {
  abuseRouter
}

// ---------------------------------------------------------------------------

async function listAbusesForAdmins (req: express.Request, res: express.Response) {
  const user = res.locals.oauth.token.user
  const serverActor = await getServerActor()

  const resultList = await AbuseModel.listForAdminApi({
    start: req.query.start,
    count: req.query.count,
    sort: req.query.sort,
    id: req.query.id,
    filter: req.query.filter,
    predefinedReason: req.query.predefinedReason,
    search: req.query.search,
    state: req.query.state,
    videoIs: req.query.videoIs,
    searchReporter: req.query.searchReporter,
    searchReportee: req.query.searchReportee,
    searchVideo: req.query.searchVideo,
    searchVideoChannel: req.query.searchVideoChannel,
    serverAccountId: serverActor.Account.id,
    user
  })

  return res.json({
    total: resultList.total,
    data: resultList.data.map(d => d.toFormattedAdminJSON())
  })
}

async function updateAbuse (req: express.Request, res: express.Response) {
  const abuse = res.locals.abuse
  let stateUpdated = false

  if (req.body.moderationComment !== undefined) abuse.moderationComment = req.body.moderationComment

  if (req.body.state !== undefined) {
    abuse.state = req.body.state
    stateUpdated = true
  }

  await sequelizeTypescript.transaction(t => {
    return abuse.save({ transaction: t })
  })

  if (stateUpdated === true) {
    AbuseModel.loadFull(abuse.id)
      .then(abuseFull => Notifier.Instance.notifyOnAbuseStateChange(abuseFull))
      .catch(err => logger.error('Cannot notify on abuse state change', { err }))
  }

  // Do not send the delete to other instances, we updated OUR copy of this abuse

  return res.status(HttpStatusCode.NO_CONTENT_204).end()
}

async function deleteAbuse (req: express.Request, res: express.Response) {
  const abuse = res.locals.abuse

  await sequelizeTypescript.transaction(t => {
    return abuse.destroy({ transaction: t })
  })

  // Do not send the delete to other instances, we delete OUR copy of this abuse

  return res.status(HttpStatusCode.NO_CONTENT_204).end()
}

async function reportAbuse (req: express.Request, res: express.Response) {
  const videoInstance = res.locals.videoAll
  const commentInstance = res.locals.videoCommentFull
  const accountInstance = res.locals.account

  const body: AbuseCreate = req.body

  const { id } = await sequelizeTypescript.transaction(async t => {
    const user = res.locals.oauth.token.User
    // Don't send abuse notification if reporter is an admin/moderator
    const skipNotification = user.hasRight(UserRight.MANAGE_ABUSES)

    const reporterAccount = await AccountModel.load(user.Account.id, t)
    const predefinedReasons = body.predefinedReasons?.map(r => abusePredefinedReasonsMap[r])

    const baseAbuse = {
      reporterAccountId: reporterAccount.id,
      reason: body.reason,
      state: AbuseState.PENDING,
      predefinedReasons
    }

    if (body.video) {
      return createVideoAbuse({
        baseAbuse,
        videoInstance,
        reporterAccount,
        transaction: t,
        startAt: body.video.startAt,
        endAt: body.video.endAt,
        skipNotification
      })
    }

    if (body.comment) {
      return createVideoCommentAbuse({
        baseAbuse,
        commentInstance,
        reporterAccount,
        transaction: t,
        skipNotification
      })
    }

    // Account report
    return createAccountAbuse({
      baseAbuse,
      accountInstance,
      reporterAccount,
      transaction: t,
      skipNotification
    })
  })

  return res.json({ abuse: { id } })
}

async function listAbuseMessages (req: express.Request, res: express.Response) {
  const abuse = res.locals.abuse

  const resultList = await AbuseMessageModel.listForApi(abuse.id)

  return res.json(getFormattedObjects(resultList.data, resultList.total))
}

async function addAbuseMessage (req: express.Request, res: express.Response) {
  const abuse = res.locals.abuse
  const user = res.locals.oauth.token.user

  const abuseMessage = await AbuseMessageModel.create({
    message: req.body.message,
    byModerator: abuse.reporterAccountId !== user.Account.id,
    accountId: user.Account.id,
    abuseId: abuse.id
  })

  AbuseModel.loadFull(abuse.id)
    .then(abuseFull => Notifier.Instance.notifyOnAbuseMessage(abuseFull, abuseMessage))
    .catch(err => logger.error('Cannot notify on new abuse message', { err }))

  return res.json({
    abuseMessage: {
      id: abuseMessage.id
    }
  })
}

async function deleteAbuseMessage (req: express.Request, res: express.Response) {
  const abuseMessage = res.locals.abuseMessage

  await sequelizeTypescript.transaction(t => {
    return abuseMessage.destroy({ transaction: t })
  })

  return res.status(HttpStatusCode.NO_CONTENT_204).end()
}
Commit	Line	Data
41fb13c3	1	import express from 'express'
bd45d503	2	import { logger } from '@server/helpers/logger'
d95d1559	3	import { createAccountAbuse, createVideoAbuse, createVideoCommentAbuse } from '@server/lib/moderation'
bd45d503	4	import { Notifier } from '@server/lib/notifier'
d95d1559	5	import { AbuseModel } from '@server/models/abuse/abuse'
edbc9325	6	import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
d95d1559	7	import { getServerActor } from '@server/models/application/application'
bd45d503	8	import { abusePredefinedReasonsMap } from '@shared/core-utils/abuse'
c0e8b12e	9	import { HttpStatusCode } from '@shared/models'
bd45d503	10	import { AbuseCreate, AbuseState, UserRight } from '../../../shared'
d95d1559 C	11	import { getFormattedObjects } from '../../helpers/utils'
	12	import { sequelizeTypescript } from '../../initializers/database'
	13	import {
	14	abuseGetValidator,
edbc9325	15	abuseListForAdminsValidator,
d95d1559 C	16	abuseReportValidator,
	17	abusesSortValidator,
	18	abuseUpdateValidator,
edbc9325	19	addAbuseMessageValidator,
d95d1559 C	20	asyncMiddleware,
	21	asyncRetryTransactionMiddleware,
	22	authenticate,
94148c90	23	checkAbuseValidForMessagesValidator,
edbc9325	24	deleteAbuseMessageValidator,
d95d1559	25	ensureUserHasRight,
edbc9325	26	getAbuseValidator,
1333ab1f	27	openapiOperationDoc,
d95d1559 C	28	paginationValidator,
	29	setDefaultPagination,
	30	setDefaultSort
	31	} from '../../middlewares'
	32	import { AccountModel } from '../../models/account/account'
	33
	34	const abuseRouter = express.Router()
	35
57f6896f	36	abuseRouter.get('/',
1333ab1f	37	openapiOperationDoc({ operationId: 'getAbuses' }),
d95d1559 C	38	authenticate,
	39	ensureUserHasRight(UserRight.MANAGE_ABUSES),
	40	paginationValidator,
	41	abusesSortValidator,
	42	setDefaultSort,
	43	setDefaultPagination,
edbc9325 C	44	abuseListForAdminsValidator,
edbc9325 C	45	asyncMiddleware(listAbusesForAdmins)
d95d1559	46	)
57f6896f	47	abuseRouter.put('/:id',
d95d1559 C	48	authenticate,
	49	ensureUserHasRight(UserRight.MANAGE_ABUSES),
	50	asyncMiddleware(abuseUpdateValidator),
	51	asyncRetryTransactionMiddleware(updateAbuse)
	52	)
57f6896f	53	abuseRouter.post('/',
d95d1559 C	54	authenticate,
	55	asyncMiddleware(abuseReportValidator),
	56	asyncRetryTransactionMiddleware(reportAbuse)
	57	)
57f6896f	58	abuseRouter.delete('/:id',
d95d1559 C	59	authenticate,
	60	ensureUserHasRight(UserRight.MANAGE_ABUSES),
	61	asyncMiddleware(abuseGetValidator),
	62	asyncRetryTransactionMiddleware(deleteAbuse)
	63	)
	64
edbc9325 C	65	abuseRouter.get('/:id/messages',
	66	authenticate,
	67	asyncMiddleware(getAbuseValidator),
94148c90	68	checkAbuseValidForMessagesValidator,
edbc9325 C	69	asyncRetryTransactionMiddleware(listAbuseMessages)
	70	)
	71
	72	abuseRouter.post('/:id/messages',
	73	authenticate,
	74	asyncMiddleware(getAbuseValidator),
94148c90	75	checkAbuseValidForMessagesValidator,
edbc9325 C	76	addAbuseMessageValidator,
	77	asyncRetryTransactionMiddleware(addAbuseMessage)
	78	)
	79
	80	abuseRouter.delete('/:id/messages/:messageId',
	81	authenticate,
	82	asyncMiddleware(getAbuseValidator),
94148c90	83	checkAbuseValidForMessagesValidator,
edbc9325 C	84	asyncMiddleware(deleteAbuseMessageValidator),
	85	asyncRetryTransactionMiddleware(deleteAbuseMessage)
	86	)
	87
d95d1559 C	88	// ---------------------------------------------------------------------------
	89
	90	export {
7a4ea932	91	abuseRouter
d95d1559 C	92	}
	93
	94	// ---------------------------------------------------------------------------
	95
edbc9325	96	async function listAbusesForAdmins (req: express.Request, res: express.Response) {
d95d1559 C	97	const user = res.locals.oauth.token.user
	98	const serverActor = await getServerActor()
	99
edbc9325	100	const resultList = await AbuseModel.listForAdminApi({
d95d1559 C	101	start: req.query.start,
	102	count: req.query.count,
	103	sort: req.query.sort,
	104	id: req.query.id,
57f6896f	105	filter: req.query.filter,
d95d1559 C	106	predefinedReason: req.query.predefinedReason,
	107	search: req.query.search,
	108	state: req.query.state,
	109	videoIs: req.query.videoIs,
	110	searchReporter: req.query.searchReporter,
	111	searchReportee: req.query.searchReportee,
	112	searchVideo: req.query.searchVideo,
	113	searchVideoChannel: req.query.searchVideoChannel,
	114	serverAccountId: serverActor.Account.id,
	115	user
	116	})
	117
edbc9325 C	118	return res.json({
	119	total: resultList.total,
	120	data: resultList.data.map(d => d.toFormattedAdminJSON())
	121	})
d95d1559 C	122	}
	123
	124	async function updateAbuse (req: express.Request, res: express.Response) {
	125	const abuse = res.locals.abuse
594d3e48	126	let stateUpdated = false
d95d1559 C	127
d95d1559 C	128	if (req.body.moderationComment !== undefined) abuse.moderationComment = req.body.moderationComment
594d3e48 C	129
	130	if (req.body.state !== undefined) {
	131	abuse.state = req.body.state
	132	stateUpdated = true
	133	}
d95d1559 C	134
	135	await sequelizeTypescript.transaction(t => {
	136	return abuse.save({ transaction: t })
	137	})
	138
594d3e48 C	139	if (stateUpdated === true) {
	140	AbuseModel.loadFull(abuse.id)
	141	.then(abuseFull => Notifier.Instance.notifyOnAbuseStateChange(abuseFull))
	142	.catch(err => logger.error('Cannot notify on abuse state change', { err }))
	143	}
edbc9325	144
310b5219	145	// Do not send the delete to other instances, we updated OUR copy of this abuse
d95d1559	146
76148b27	147	return res.status(HttpStatusCode.NO_CONTENT_204).end()
d95d1559 C	148	}
	149
	150	async function deleteAbuse (req: express.Request, res: express.Response) {
	151	const abuse = res.locals.abuse
	152
	153	await sequelizeTypescript.transaction(t => {
	154	return abuse.destroy({ transaction: t })
	155	})
	156
310b5219	157	// Do not send the delete to other instances, we delete OUR copy of this abuse
d95d1559	158
76148b27	159	return res.status(HttpStatusCode.NO_CONTENT_204).end()
d95d1559 C	160	}
	161
	162	async function reportAbuse (req: express.Request, res: express.Response) {
	163	const videoInstance = res.locals.videoAll
	164	const commentInstance = res.locals.videoCommentFull
	165	const accountInstance = res.locals.account
	166
	167	const body: AbuseCreate = req.body
	168
	169	const { id } = await sequelizeTypescript.transaction(async t => {
9e847c17 C	170	const user = res.locals.oauth.token.User
	171	// Don't send abuse notification if reporter is an admin/moderator
	172	const skipNotification = user.hasRight(UserRight.MANAGE_ABUSES)
	173
	174	const reporterAccount = await AccountModel.load(user.Account.id, t)
d95d1559 C	175	const predefinedReasons = body.predefinedReasons?.map(r => abusePredefinedReasonsMap[r])
	176
	177	const baseAbuse = {
	178	reporterAccountId: reporterAccount.id,
	179	reason: body.reason,
	180	state: AbuseState.PENDING,
	181	predefinedReasons
	182	}
	183
	184	if (body.video) {
	185	return createVideoAbuse({
	186	baseAbuse,
	187	videoInstance,
	188	reporterAccount,
	189	transaction: t,
	190	startAt: body.video.startAt,
9e847c17 C	191	endAt: body.video.endAt,
9e847c17 C	192	skipNotification
d95d1559 C	193	})
	194	}
	195
	196	if (body.comment) {
	197	return createVideoCommentAbuse({
	198	baseAbuse,
	199	commentInstance,
	200	reporterAccount,
9e847c17 C	201	transaction: t,
9e847c17 C	202	skipNotification
d95d1559 C	203	})
	204	}
	205
	206	// Account report
	207	return createAccountAbuse({
	208	baseAbuse,
	209	accountInstance,
	210	reporterAccount,
9e847c17 C	211	transaction: t,
9e847c17 C	212	skipNotification
d95d1559 C	213	})
	214	})
	215
	216	return res.json({ abuse: { id } })
	217	}
edbc9325 C	218
	219	async function listAbuseMessages (req: express.Request, res: express.Response) {
	220	const abuse = res.locals.abuse
	221
	222	const resultList = await AbuseMessageModel.listForApi(abuse.id)
	223
	224	return res.json(getFormattedObjects(resultList.data, resultList.total))
	225	}
	226
	227	async function addAbuseMessage (req: express.Request, res: express.Response) {
	228	const abuse = res.locals.abuse
	229	const user = res.locals.oauth.token.user
	230
	231	const abuseMessage = await AbuseMessageModel.create({
	232	message: req.body.message,
	233	byModerator: abuse.reporterAccountId !== user.Account.id,
	234	accountId: user.Account.id,
	235	abuseId: abuse.id
	236	})
	237
594d3e48 C	238	AbuseModel.loadFull(abuse.id)
	239	.then(abuseFull => Notifier.Instance.notifyOnAbuseMessage(abuseFull, abuseMessage))
	240	.catch(err => logger.error('Cannot notify on new abuse message', { err }))
edbc9325 C	241
	242	return res.json({
	243	abuseMessage: {
	244	id: abuseMessage.id
	245	}
	246	})
	247	}
	248
	249	async function deleteAbuseMessage (req: express.Request, res: express.Response) {
	250	const abuseMessage = res.locals.abuseMessage
	251
	252	await sequelizeTypescript.transaction(t => {
	253	return abuseMessage.destroy({ transaction: t })
	254	})
	255
76148b27	256	return res.status(HttpStatusCode.NO_CONTENT_204).end()
edbc9325	257	}