[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / abuse.ts

import * as express from 'express'
import { body, param, query } from 'express-validator'
import {
  areAbusePredefinedReasonsValid,
  isAbuseFilterValid,
  isAbuseMessageValid,
  isAbuseModerationCommentValid,
  isAbusePredefinedReasonValid,
  isAbuseReasonValid,
  isAbuseStateValid,
  isAbuseTimestampCoherent,
  isAbuseTimestampValid,
  isAbuseVideoIsValid
} from '@server/helpers/custom-validators/abuses'
import { exists, isIdOrUUIDValid, isIdValid, toIntOrNull } from '@server/helpers/custom-validators/misc'
import { logger } from '@server/helpers/logger'
import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
import { AbuseCreate, UserRight } from '@shared/models'
import { HttpStatusCode } from '../../../shared/core-utils/miscs/http-error-codes'
import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared'

const abuseReportValidator = [
  body('account.id')
    .optional()
    .custom(isIdValid)
    .withMessage('Should have a valid accountId'),

  body('video.id')
    .optional()
    .custom(isIdOrUUIDValid)
    .withMessage('Should have a valid videoId'),
  body('video.startAt')
    .optional()
    .customSanitizer(toIntOrNull)
    .custom(isAbuseTimestampValid)
    .withMessage('Should have valid starting time value'),
  body('video.endAt')
    .optional()
    .customSanitizer(toIntOrNull)
    .custom(isAbuseTimestampValid)
    .withMessage('Should have valid ending time value')
    .bail()
    .custom(isAbuseTimestampCoherent)
    .withMessage('Should have a startAt timestamp beginning before endAt'),

  body('comment.id')
    .optional()
    .custom(isIdValid)
    .withMessage('Should have a valid commentId'),

  body('reason')
    .custom(isAbuseReasonValid)
    .withMessage('Should have a valid reason'),

  body('predefinedReasons')
    .optional()
    .custom(areAbusePredefinedReasonsValid)
    .withMessage('Should have a valid list of predefined reasons'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseReport parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    const body: AbuseCreate = req.body

    if (body.video?.id && !await doesVideoExist(body.video.id, res)) return
    if (body.account?.id && !await doesAccountIdExist(body.account.id, res)) return
    if (body.comment?.id && !await doesCommentIdExist(body.comment.id, res)) return

    if (!body.video?.id && !body.account?.id && !body.comment?.id) {
      res.fail({ message: 'video id or account id or comment id is required.' })
      return
    }

    return next()
  }
]

const abuseGetValidator = [
  param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseGetValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    return next()
  }
]

const abuseUpdateValidator = [
  param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),

  body('state')
    .optional()
    .custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),
  body('moderationComment')
    .optional()
    .custom(isAbuseModerationCommentValid).withMessage('Should have a valid moderation comment'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseUpdateValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    return next()
  }
]

const abuseListForAdminsValidator = [
  query('id')
    .optional()
    .custom(isIdValid).withMessage('Should have a valid id'),
  query('filter')
    .optional()
    .custom(isAbuseFilterValid)
    .withMessage('Should have a valid filter'),
  query('predefinedReason')
    .optional()
    .custom(isAbusePredefinedReasonValid)
    .withMessage('Should have a valid predefinedReason'),
  query('search')
    .optional()
    .custom(exists).withMessage('Should have a valid search'),
  query('state')
    .optional()
    .custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),
  query('videoIs')
    .optional()
    .custom(isAbuseVideoIsValid).withMessage('Should have a valid "video is" attribute'),
  query('searchReporter')
    .optional()
    .custom(exists).withMessage('Should have a valid reporter search'),
  query('searchReportee')
    .optional()
    .custom(exists).withMessage('Should have a valid reportee search'),
  query('searchVideo')
    .optional()
    .custom(exists).withMessage('Should have a valid video search'),
  query('searchVideoChannel')
    .optional()
    .custom(exists).withMessage('Should have a valid video channel search'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseListForAdminsValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const abuseListForUserValidator = [
  query('id')
    .optional()
    .custom(isIdValid).withMessage('Should have a valid id'),

  query('search')
    .optional()
    .custom(exists).withMessage('Should have a valid search'),

  query('state')
    .optional()
    .custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseListForUserValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const getAbuseValidator = [
  param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking getAbuseValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    const user = res.locals.oauth.token.user
    const abuse = res.locals.abuse

    if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuse.reporterAccountId !== user.Account.id) {
      const message = `User ${user.username} does not have right to get abuse ${abuse.id}`
      logger.warn(message)

      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
        message
      })
    }

    return next()
  }
]

const checkAbuseValidForMessagesValidator = [
  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking checkAbuseValidForMessagesValidator parameters', { parameters: req.body })

    const abuse = res.locals.abuse
    if (abuse.ReporterAccount.isOwned() === false) {
      return res.fail({ message: 'This abuse was created by a user of your instance.' })
    }

    return next()
  }
]

const addAbuseMessageValidator = [
  body('message').custom(isAbuseMessageValid).not().isEmpty().withMessage('Should have a valid abuse message'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking addAbuseMessageValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const deleteAbuseMessageValidator = [
  param('messageId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid message id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking deleteAbuseMessageValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    const user = res.locals.oauth.token.user
    const abuse = res.locals.abuse

    const messageId = parseInt(req.params.messageId + '', 10)
    const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id)

    if (!abuseMessage) {
      return res.fail({
        status: HttpStatusCode.NOT_FOUND_404,
        message: 'Abuse message not found'
      })
    }

    if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuseMessage.accountId !== user.Account.id) {
      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
        message: 'Cannot delete this abuse message'
      })
    }

    res.locals.abuseMessage = abuseMessage

    return next()
  }
]

// ---------------------------------------------------------------------------

export {
  abuseListForAdminsValidator,
  abuseReportValidator,
  abuseGetValidator,
  addAbuseMessageValidator,
  checkAbuseValidForMessagesValidator,
  abuseUpdateValidator,
  deleteAbuseMessageValidator,
  abuseListForUserValidator,
  getAbuseValidator
}
Commit	Line	Data
d95d1559 C	1	import * as express from 'express'
	2	import { body, param, query } from 'express-validator'
	3	import {
7a4ea932	4	areAbusePredefinedReasonsValid,
57f6896f	5	isAbuseFilterValid,
edbc9325	6	isAbuseMessageValid,
d95d1559	7	isAbuseModerationCommentValid,
d95d1559 C	8	isAbusePredefinedReasonValid,
	9	isAbuseReasonValid,
	10	isAbuseStateValid,
	11	isAbuseTimestampCoherent,
	12	isAbuseTimestampValid,
	13	isAbuseVideoIsValid
	14	} from '@server/helpers/custom-validators/abuses'
	15	import { exists, isIdOrUUIDValid, isIdValid, toIntOrNull } from '@server/helpers/custom-validators/misc'
	16	import { logger } from '@server/helpers/logger'
edbc9325 C	17	import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
edbc9325 C	18	import { AbuseCreate, UserRight } from '@shared/models'
2d53be02	19	import { HttpStatusCode } from '../../../shared/core-utils/miscs/http-error-codes'
10363c74	20	import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared'
d95d1559 C	21
d95d1559 C	22	const abuseReportValidator = [
57f6896f C	23	body('account.id')
	24	.optional()
	25	.custom(isIdValid)
	26	.withMessage('Should have a valid accountId'),
	27
	28	body('video.id')
	29	.optional()
d95d1559	30	.custom(isIdOrUUIDValid)
d95d1559	31	.withMessage('Should have a valid videoId'),
57f6896f	32	body('video.startAt')
d95d1559 C	33	.optional()
	34	.customSanitizer(toIntOrNull)
	35	.custom(isAbuseTimestampValid)
	36	.withMessage('Should have valid starting time value'),
57f6896f	37	body('video.endAt')
d95d1559 C	38	.optional()
	39	.customSanitizer(toIntOrNull)
	40	.custom(isAbuseTimestampValid)
	41	.withMessage('Should have valid ending time value')
	42	.bail()
	43	.custom(isAbuseTimestampCoherent)
	44	.withMessage('Should have a startAt timestamp beginning before endAt'),
	45
57f6896f C	46	body('comment.id')
	47	.optional()
	48	.custom(isIdValid)
	49	.withMessage('Should have a valid commentId'),
	50
	51	body('reason')
	52	.custom(isAbuseReasonValid)
	53	.withMessage('Should have a valid reason'),
	54
	55	body('predefinedReasons')
	56	.optional()
edbc9325	57	.custom(areAbusePredefinedReasonsValid)
57f6896f C	58	.withMessage('Should have a valid list of predefined reasons'),
57f6896f C	59
d95d1559 C	60	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	61	logger.debug('Checking abuseReport parameters', { parameters: req.body })
	62
	63	if (areValidationErrors(req, res)) return
d95d1559	64
57f6896f C	65	const body: AbuseCreate = req.body
	66
	67	if (body.video?.id && !await doesVideoExist(body.video.id, res)) return
	68	if (body.account?.id && !await doesAccountIdExist(body.account.id, res)) return
	69	if (body.comment?.id && !await doesCommentIdExist(body.comment.id, res)) return
	70
	71	if (!body.video?.id && !body.account?.id && !body.comment?.id) {
76148b27	72	res.fail({ message: 'video id or account id or comment id is required.' })
57f6896f C	73	return
57f6896f C	74	}
d95d1559 C	75
	76	return next()
	77	}
	78	]
	79
	80	const abuseGetValidator = [
d95d1559 C	81	param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),
	82
	83	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	84	logger.debug('Checking abuseGetValidator parameters', { parameters: req.body })
	85
	86	if (areValidationErrors(req, res)) return
57f6896f	87	if (!await doesAbuseExist(req.params.id, res)) return
d95d1559 C	88
	89	return next()
	90	}
	91	]
	92
	93	const abuseUpdateValidator = [
d95d1559	94	param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),
57f6896f	95
d95d1559 C	96	body('state')
d95d1559 C	97	.optional()
57f6896f	98	.custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),
d95d1559 C	99	body('moderationComment')
d95d1559 C	100	.optional()
57f6896f	101	.custom(isAbuseModerationCommentValid).withMessage('Should have a valid moderation comment'),
d95d1559 C	102
	103	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	104	logger.debug('Checking abuseUpdateValidator parameters', { parameters: req.body })
	105
	106	if (areValidationErrors(req, res)) return
57f6896f	107	if (!await doesAbuseExist(req.params.id, res)) return
d95d1559 C	108
	109	return next()
	110	}
	111	]
	112
edbc9325	113	const abuseListForAdminsValidator = [
d95d1559 C	114	query('id')
	115	.optional()
	116	.custom(isIdValid).withMessage('Should have a valid id'),
57f6896f C	117	query('filter')
	118	.optional()
	119	.custom(isAbuseFilterValid)
	120	.withMessage('Should have a valid filter'),
d95d1559 C	121	query('predefinedReason')
	122	.optional()
	123	.custom(isAbusePredefinedReasonValid)
	124	.withMessage('Should have a valid predefinedReason'),
	125	query('search')
	126	.optional()
	127	.custom(exists).withMessage('Should have a valid search'),
	128	query('state')
	129	.optional()
310b5219	130	.custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),
d95d1559 C	131	query('videoIs')
	132	.optional()
	133	.custom(isAbuseVideoIsValid).withMessage('Should have a valid "video is" attribute'),
	134	query('searchReporter')
	135	.optional()
	136	.custom(exists).withMessage('Should have a valid reporter search'),
	137	query('searchReportee')
	138	.optional()
	139	.custom(exists).withMessage('Should have a valid reportee search'),
	140	query('searchVideo')
	141	.optional()
	142	.custom(exists).withMessage('Should have a valid video search'),
	143	query('searchVideoChannel')
	144	.optional()
	145	.custom(exists).withMessage('Should have a valid video channel search'),
	146
	147	(req: express.Request, res: express.Response, next: express.NextFunction) => {
edbc9325	148	logger.debug('Checking abuseListForAdminsValidator parameters', { parameters: req.body })
d95d1559 C	149
	150	if (areValidationErrors(req, res)) return
	151
	152	return next()
	153	}
	154	]
	155
edbc9325 C	156	const abuseListForUserValidator = [
	157	query('id')
	158	.optional()
	159	.custom(isIdValid).withMessage('Should have a valid id'),
	160
	161	query('search')
	162	.optional()
	163	.custom(exists).withMessage('Should have a valid search'),
	164
	165	query('state')
	166	.optional()
	167	.custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),
	168
	169	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	170	logger.debug('Checking abuseListForUserValidator parameters', { parameters: req.body })
	171
	172	if (areValidationErrors(req, res)) return
	173
	174	return next()
	175	}
	176	]
	177
	178	const getAbuseValidator = [
	179	param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),
	180
	181	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	182	logger.debug('Checking getAbuseValidator parameters', { parameters: req.body })
	183
	184	if (areValidationErrors(req, res)) return
	185	if (!await doesAbuseExist(req.params.id, res)) return
	186
	187	const user = res.locals.oauth.token.user
	188	const abuse = res.locals.abuse
	189
	190	if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuse.reporterAccountId !== user.Account.id) {
	191	const message = `User ${user.username} does not have right to get abuse ${abuse.id}`
	192	logger.warn(message)
	193
76148b27 RK	194	return res.fail({
	195	status: HttpStatusCode.FORBIDDEN_403,
	196	message
	197	})
edbc9325 C	198	}
	199
	200	return next()
	201	}
	202	]
	203
94148c90 C	204	const checkAbuseValidForMessagesValidator = [
	205	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	206	logger.debug('Checking checkAbuseValidForMessagesValidator parameters', { parameters: req.body })
	207
	208	const abuse = res.locals.abuse
	209	if (abuse.ReporterAccount.isOwned() === false) {
76148b27	210	return res.fail({ message: 'This abuse was created by a user of your instance.' })
94148c90 C	211	}
	212
	213	return next()
	214	}
	215	]
	216
edbc9325 C	217	const addAbuseMessageValidator = [
	218	body('message').custom(isAbuseMessageValid).not().isEmpty().withMessage('Should have a valid abuse message'),
	219
	220	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	221	logger.debug('Checking addAbuseMessageValidator parameters', { parameters: req.body })
	222
	223	if (areValidationErrors(req, res)) return
	224
	225	return next()
	226	}
	227	]
	228
	229	const deleteAbuseMessageValidator = [
	230	param('messageId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid message id'),
	231
	232	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	233	logger.debug('Checking deleteAbuseMessageValidator parameters', { parameters: req.body })
	234
	235	if (areValidationErrors(req, res)) return
	236
	237	const user = res.locals.oauth.token.user
	238	const abuse = res.locals.abuse
	239
	240	const messageId = parseInt(req.params.messageId + '', 10)
	241	const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id)
	242
	243	if (!abuseMessage) {
76148b27 RK	244	return res.fail({
	245	status: HttpStatusCode.NOT_FOUND_404,
	246	message: 'Abuse message not found'
	247	})
edbc9325 C	248	}
	249
	250	if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuseMessage.accountId !== user.Account.id) {
76148b27 RK	251	return res.fail({
	252	status: HttpStatusCode.FORBIDDEN_403,
	253	message: 'Cannot delete this abuse message'
	254	})
edbc9325 C	255	}
	256
	257	res.locals.abuseMessage = abuseMessage
	258
	259	return next()
	260	}
	261	]
	262
d95d1559 C	263	// ---------------------------------------------------------------------------
	264
	265	export {
edbc9325	266	abuseListForAdminsValidator,
d95d1559 C	267	abuseReportValidator,
d95d1559 C	268	abuseGetValidator,
edbc9325	269	addAbuseMessageValidator,
94148c90	270	checkAbuseValidForMessagesValidator,
d95d1559	271	abuseUpdateValidator,
edbc9325 C	272	deleteAbuseMessageValidator,
edbc9325 C	273	abuseListForUserValidator,
7a4ea932	274	getAbuseValidator
d95d1559	275	}