[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / abuse.ts

import * as express from 'express'
import { body, param, query } from 'express-validator'
import {
  areAbusePredefinedReasonsValid,
  isAbuseFilterValid,
  isAbuseMessageValid,
  isAbuseModerationCommentValid,
  isAbusePredefinedReasonValid,
  isAbuseReasonValid,
  isAbuseStateValid,
  isAbuseTimestampCoherent,
  isAbuseTimestampValid,
  isAbuseVideoIsValid
} from '@server/helpers/custom-validators/abuses'
import { exists, isIdOrUUIDValid, isIdValid, toIntOrNull } from '@server/helpers/custom-validators/misc'
import { doesCommentIdExist } from '@server/helpers/custom-validators/video-comments'
import { logger } from '@server/helpers/logger'
import { doesAbuseExist, doesAccountIdExist, doesVideoExist } from '@server/helpers/middlewares'
import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
import { AbuseCreate, UserRight } from '@shared/models'
import { areValidationErrors } from './utils'

const abuseReportValidator = [
  body('account.id')
    .optional()
    .custom(isIdValid)
    .withMessage('Should have a valid accountId'),

  body('video.id')
    .optional()
    .custom(isIdOrUUIDValid)
    .withMessage('Should have a valid videoId'),
  body('video.startAt')
    .optional()
    .customSanitizer(toIntOrNull)
    .custom(isAbuseTimestampValid)
    .withMessage('Should have valid starting time value'),
  body('video.endAt')
    .optional()
    .customSanitizer(toIntOrNull)
    .custom(isAbuseTimestampValid)
    .withMessage('Should have valid ending time value')
    .bail()
    .custom(isAbuseTimestampCoherent)
    .withMessage('Should have a startAt timestamp beginning before endAt'),

  body('comment.id')
    .optional()
    .custom(isIdValid)
    .withMessage('Should have a valid commentId'),

  body('reason')
    .custom(isAbuseReasonValid)
    .withMessage('Should have a valid reason'),

  body('predefinedReasons')
    .optional()
    .custom(areAbusePredefinedReasonsValid)
    .withMessage('Should have a valid list of predefined reasons'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseReport parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    const body: AbuseCreate = req.body

    if (body.video?.id && !await doesVideoExist(body.video.id, res)) return
    if (body.account?.id && !await doesAccountIdExist(body.account.id, res)) return
    if (body.comment?.id && !await doesCommentIdExist(body.comment.id, res)) return

    if (!body.video?.id && !body.account?.id && !body.comment?.id) {
      res.status(400)
        .json({ error: 'video id or account id or comment id is required.' })

      return
    }

    return next()
  }
]

const abuseGetValidator = [
  param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseGetValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    return next()
  }
]

const abuseUpdateValidator = [
  param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),

  body('state')
    .optional()
    .custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),
  body('moderationComment')
    .optional()
    .custom(isAbuseModerationCommentValid).withMessage('Should have a valid moderation comment'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseUpdateValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    return next()
  }
]

const abuseListForAdminsValidator = [
  query('id')
    .optional()
    .custom(isIdValid).withMessage('Should have a valid id'),
  query('filter')
    .optional()
    .custom(isAbuseFilterValid)
    .withMessage('Should have a valid filter'),
  query('predefinedReason')
    .optional()
    .custom(isAbusePredefinedReasonValid)
    .withMessage('Should have a valid predefinedReason'),
  query('search')
    .optional()
    .custom(exists).withMessage('Should have a valid search'),
  query('state')
    .optional()
    .custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),
  query('videoIs')
    .optional()
    .custom(isAbuseVideoIsValid).withMessage('Should have a valid "video is" attribute'),
  query('searchReporter')
    .optional()
    .custom(exists).withMessage('Should have a valid reporter search'),
  query('searchReportee')
    .optional()
    .custom(exists).withMessage('Should have a valid reportee search'),
  query('searchVideo')
    .optional()
    .custom(exists).withMessage('Should have a valid video search'),
  query('searchVideoChannel')
    .optional()
    .custom(exists).withMessage('Should have a valid video channel search'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseListForAdminsValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const abuseListForUserValidator = [
  query('id')
    .optional()
    .custom(isIdValid).withMessage('Should have a valid id'),

  query('search')
    .optional()
    .custom(exists).withMessage('Should have a valid search'),

  query('state')
    .optional()
    .custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseListForUserValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const getAbuseValidator = [
  param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking getAbuseValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    const user = res.locals.oauth.token.user
    const abuse = res.locals.abuse

    if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuse.reporterAccountId !== user.Account.id) {
      const message = `User ${user.username} does not have right to get abuse ${abuse.id}`
      logger.warn(message)

      return res.status(403).json({ error: message })
    }

    return next()
  }
]

const checkAbuseValidForMessagesValidator = [
  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking checkAbuseValidForMessagesValidator parameters', { parameters: req.body })

    const abuse = res.locals.abuse
    if (abuse.ReporterAccount.isOwned() === false) {
      return res.status(400).json({
        error: 'This abuse was created by a user of your instance.'
      })
    }

    return next()
  }
]

const addAbuseMessageValidator = [
  body('message').custom(isAbuseMessageValid).not().isEmpty().withMessage('Should have a valid abuse message'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking addAbuseMessageValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const deleteAbuseMessageValidator = [
  param('messageId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid message id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking deleteAbuseMessageValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    const user = res.locals.oauth.token.user
    const abuse = res.locals.abuse

    const messageId = parseInt(req.params.messageId + '', 10)
    const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id)

    if (!abuseMessage) {
      return res.status(404).json({ error: 'Abuse message not found' })
    }

    if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuseMessage.accountId !== user.Account.id) {
      return res.status(403).json({ error: 'Cannot delete this abuse message' })
    }

    res.locals.abuseMessage = abuseMessage

    return next()
  }
]

// ---------------------------------------------------------------------------

export {
  abuseListForAdminsValidator,
  abuseReportValidator,
  abuseGetValidator,
  addAbuseMessageValidator,
  checkAbuseValidForMessagesValidator,
  abuseUpdateValidator,
  deleteAbuseMessageValidator,
  abuseListForUserValidator,
  getAbuseValidator
}
Commit	Line	Data
d95d1559 C	1	import * as express from 'express'
	2	import { body, param, query } from 'express-validator'
	3	import {
7a4ea932	4	areAbusePredefinedReasonsValid,
57f6896f	5	isAbuseFilterValid,
edbc9325	6	isAbuseMessageValid,
d95d1559	7	isAbuseModerationCommentValid,
d95d1559 C	8	isAbusePredefinedReasonValid,
	9	isAbuseReasonValid,
	10	isAbuseStateValid,
	11	isAbuseTimestampCoherent,
	12	isAbuseTimestampValid,
	13	isAbuseVideoIsValid
	14	} from '@server/helpers/custom-validators/abuses'
	15	import { exists, isIdOrUUIDValid, isIdValid, toIntOrNull } from '@server/helpers/custom-validators/misc'
57f6896f	16	import { doesCommentIdExist } from '@server/helpers/custom-validators/video-comments'
d95d1559	17	import { logger } from '@server/helpers/logger'
7a4ea932	18	import { doesAbuseExist, doesAccountIdExist, doesVideoExist } from '@server/helpers/middlewares'
edbc9325 C	19	import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
edbc9325 C	20	import { AbuseCreate, UserRight } from '@shared/models'
d95d1559 C	21	import { areValidationErrors } from './utils'
	22
	23	const abuseReportValidator = [
57f6896f C	24	body('account.id')
	25	.optional()
	26	.custom(isIdValid)
	27	.withMessage('Should have a valid accountId'),
	28
	29	body('video.id')
	30	.optional()
d95d1559	31	.custom(isIdOrUUIDValid)
d95d1559	32	.withMessage('Should have a valid videoId'),
57f6896f	33	body('video.startAt')
d95d1559 C	34	.optional()
	35	.customSanitizer(toIntOrNull)
	36	.custom(isAbuseTimestampValid)
	37	.withMessage('Should have valid starting time value'),
57f6896f	38	body('video.endAt')
d95d1559 C	39	.optional()
	40	.customSanitizer(toIntOrNull)
	41	.custom(isAbuseTimestampValid)
	42	.withMessage('Should have valid ending time value')
	43	.bail()
	44	.custom(isAbuseTimestampCoherent)
	45	.withMessage('Should have a startAt timestamp beginning before endAt'),
	46
57f6896f C	47	body('comment.id')
	48	.optional()
	49	.custom(isIdValid)
	50	.withMessage('Should have a valid commentId'),
	51
	52	body('reason')
	53	.custom(isAbuseReasonValid)
	54	.withMessage('Should have a valid reason'),
	55
	56	body('predefinedReasons')
	57	.optional()
edbc9325	58	.custom(areAbusePredefinedReasonsValid)
57f6896f C	59	.withMessage('Should have a valid list of predefined reasons'),
57f6896f C	60
d95d1559 C	61	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	62	logger.debug('Checking abuseReport parameters', { parameters: req.body })
	63
	64	if (areValidationErrors(req, res)) return
d95d1559	65
57f6896f C	66	const body: AbuseCreate = req.body
	67
	68	if (body.video?.id && !await doesVideoExist(body.video.id, res)) return
	69	if (body.account?.id && !await doesAccountIdExist(body.account.id, res)) return
	70	if (body.comment?.id && !await doesCommentIdExist(body.comment.id, res)) return
	71
	72	if (!body.video?.id && !body.account?.id && !body.comment?.id) {
	73	res.status(400)
	74	.json({ error: 'video id or account id or comment id is required.' })
	75
	76	return
	77	}
d95d1559 C	78
	79	return next()
	80	}
	81	]
	82
	83	const abuseGetValidator = [
d95d1559 C	84	param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),
	85
	86	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	87	logger.debug('Checking abuseGetValidator parameters', { parameters: req.body })
	88
	89	if (areValidationErrors(req, res)) return
57f6896f	90	if (!await doesAbuseExist(req.params.id, res)) return
d95d1559 C	91
	92	return next()
	93	}
	94	]
	95
	96	const abuseUpdateValidator = [
d95d1559	97	param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),
57f6896f	98
d95d1559 C	99	body('state')
d95d1559 C	100	.optional()
57f6896f	101	.custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),
d95d1559 C	102	body('moderationComment')
d95d1559 C	103	.optional()
57f6896f	104	.custom(isAbuseModerationCommentValid).withMessage('Should have a valid moderation comment'),
d95d1559 C	105
	106	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	107	logger.debug('Checking abuseUpdateValidator parameters', { parameters: req.body })
	108
	109	if (areValidationErrors(req, res)) return
57f6896f	110	if (!await doesAbuseExist(req.params.id, res)) return
d95d1559 C	111
	112	return next()
	113	}
	114	]
	115
edbc9325	116	const abuseListForAdminsValidator = [
d95d1559 C	117	query('id')
	118	.optional()
	119	.custom(isIdValid).withMessage('Should have a valid id'),
57f6896f C	120	query('filter')
	121	.optional()
	122	.custom(isAbuseFilterValid)
	123	.withMessage('Should have a valid filter'),
d95d1559 C	124	query('predefinedReason')
	125	.optional()
	126	.custom(isAbusePredefinedReasonValid)
	127	.withMessage('Should have a valid predefinedReason'),
	128	query('search')
	129	.optional()
	130	.custom(exists).withMessage('Should have a valid search'),
	131	query('state')
	132	.optional()
310b5219	133	.custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),
d95d1559 C	134	query('videoIs')
	135	.optional()
	136	.custom(isAbuseVideoIsValid).withMessage('Should have a valid "video is" attribute'),
	137	query('searchReporter')
	138	.optional()
	139	.custom(exists).withMessage('Should have a valid reporter search'),
	140	query('searchReportee')
	141	.optional()
	142	.custom(exists).withMessage('Should have a valid reportee search'),
	143	query('searchVideo')
	144	.optional()
	145	.custom(exists).withMessage('Should have a valid video search'),
	146	query('searchVideoChannel')
	147	.optional()
	148	.custom(exists).withMessage('Should have a valid video channel search'),
	149
	150	(req: express.Request, res: express.Response, next: express.NextFunction) => {
edbc9325	151	logger.debug('Checking abuseListForAdminsValidator parameters', { parameters: req.body })
d95d1559 C	152
	153	if (areValidationErrors(req, res)) return
	154
	155	return next()
	156	}
	157	]
	158
edbc9325 C	159	const abuseListForUserValidator = [
	160	query('id')
	161	.optional()
	162	.custom(isIdValid).withMessage('Should have a valid id'),
	163
	164	query('search')
	165	.optional()
	166	.custom(exists).withMessage('Should have a valid search'),
	167
	168	query('state')
	169	.optional()
	170	.custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),
	171
	172	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	173	logger.debug('Checking abuseListForUserValidator parameters', { parameters: req.body })
	174
	175	if (areValidationErrors(req, res)) return
	176
	177	return next()
	178	}
	179	]
	180
	181	const getAbuseValidator = [
	182	param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),
	183
	184	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	185	logger.debug('Checking getAbuseValidator parameters', { parameters: req.body })
	186
	187	if (areValidationErrors(req, res)) return
	188	if (!await doesAbuseExist(req.params.id, res)) return
	189
	190	const user = res.locals.oauth.token.user
	191	const abuse = res.locals.abuse
	192
	193	if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuse.reporterAccountId !== user.Account.id) {
	194	const message = `User ${user.username} does not have right to get abuse ${abuse.id}`
	195	logger.warn(message)
	196
	197	return res.status(403).json({ error: message })
	198	}
	199
	200	return next()
	201	}
	202	]
	203
94148c90 C	204	const checkAbuseValidForMessagesValidator = [
	205	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	206	logger.debug('Checking checkAbuseValidForMessagesValidator parameters', { parameters: req.body })
	207
	208	const abuse = res.locals.abuse
	209	if (abuse.ReporterAccount.isOwned() === false) {
	210	return res.status(400).json({
668b7f09	211	error: 'This abuse was created by a user of your instance.'
94148c90 C	212	})
	213	}
	214
	215	return next()
	216	}
	217	]
	218
edbc9325 C	219	const addAbuseMessageValidator = [
	220	body('message').custom(isAbuseMessageValid).not().isEmpty().withMessage('Should have a valid abuse message'),
	221
	222	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	223	logger.debug('Checking addAbuseMessageValidator parameters', { parameters: req.body })
	224
	225	if (areValidationErrors(req, res)) return
	226
	227	return next()
	228	}
	229	]
	230
	231	const deleteAbuseMessageValidator = [
	232	param('messageId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid message id'),
	233
	234	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	235	logger.debug('Checking deleteAbuseMessageValidator parameters', { parameters: req.body })
	236
	237	if (areValidationErrors(req, res)) return
	238
	239	const user = res.locals.oauth.token.user
	240	const abuse = res.locals.abuse
	241
	242	const messageId = parseInt(req.params.messageId + '', 10)
	243	const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id)
	244
	245	if (!abuseMessage) {
	246	return res.status(404).json({ error: 'Abuse message not found' })
	247	}
	248
	249	if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuseMessage.accountId !== user.Account.id) {
	250	return res.status(403).json({ error: 'Cannot delete this abuse message' })
	251	}
	252
	253	res.locals.abuseMessage = abuseMessage
	254
	255	return next()
	256	}
	257	]
	258
d95d1559 C	259	// ---------------------------------------------------------------------------
	260
	261	export {
edbc9325	262	abuseListForAdminsValidator,
d95d1559 C	263	abuseReportValidator,
d95d1559 C	264	abuseGetValidator,
edbc9325	265	addAbuseMessageValidator,
94148c90	266	checkAbuseValidForMessagesValidator,
d95d1559	267	abuseUpdateValidator,
edbc9325 C	268	deleteAbuseMessageValidator,
edbc9325 C	269	abuseListForUserValidator,
7a4ea932	270	getAbuseValidator
d95d1559	271	}