[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / abuse.ts

import express from 'express'
import { body, param, query } from 'express-validator'
import {
  areAbusePredefinedReasonsValid,
  isAbuseFilterValid,
  isAbuseMessageValid,
  isAbuseModerationCommentValid,
  isAbusePredefinedReasonValid,
  isAbuseReasonValid,
  isAbuseStateValid,
  isAbuseTimestampCoherent,
  isAbuseTimestampValid,
  isAbuseVideoIsValid
} from '@server/helpers/custom-validators/abuses'
import { exists, isIdOrUUIDValid, isIdValid, toCompleteUUID, toIntOrNull } from '@server/helpers/custom-validators/misc'
import { logger } from '@server/helpers/logger'
import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
import { AbuseCreate, UserRight } from '@shared/models'
import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared'

const abuseReportValidator = [
  body('account.id')
    .optional()
    .custom(isIdValid),

  body('video.id')
    .optional()
    .customSanitizer(toCompleteUUID)
    .custom(isIdOrUUIDValid),
  body('video.startAt')
    .optional()
    .customSanitizer(toIntOrNull)
    .custom(isAbuseTimestampValid),
  body('video.endAt')
    .optional()
    .customSanitizer(toIntOrNull)
    .custom(isAbuseTimestampValid)
    .bail()
    .custom(isAbuseTimestampCoherent)
    .withMessage('Should have a startAt timestamp beginning before endAt'),

  body('comment.id')
    .optional()
    .custom(isIdValid),

  body('reason')
    .custom(isAbuseReasonValid),

  body('predefinedReasons')
    .optional()
    .custom(areAbusePredefinedReasonsValid),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return

    const body: AbuseCreate = req.body

    if (body.video?.id && !await doesVideoExist(body.video.id, res)) return
    if (body.account?.id && !await doesAccountIdExist(body.account.id, res)) return
    if (body.comment?.id && !await doesCommentIdExist(body.comment.id, res)) return

    if (!body.video?.id && !body.account?.id && !body.comment?.id) {
      res.fail({ message: 'video id or account id or comment id is required.' })
      return
    }

    return next()
  }
]

const abuseGetValidator = [
  param('id')
    .custom(isIdValid),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    return next()
  }
]

const abuseUpdateValidator = [
  param('id')
    .custom(isIdValid),

  body('state')
    .optional()
    .custom(isAbuseStateValid),
  body('moderationComment')
    .optional()
    .custom(isAbuseModerationCommentValid),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    return next()
  }
]

const abuseListForAdminsValidator = [
  query('id')
    .optional()
    .custom(isIdValid),
  query('filter')
    .optional()
    .custom(isAbuseFilterValid),
  query('predefinedReason')
    .optional()
    .custom(isAbusePredefinedReasonValid),
  query('search')
    .optional()
    .custom(exists),
  query('state')
    .optional()
    .custom(isAbuseStateValid),
  query('videoIs')
    .optional()
    .custom(isAbuseVideoIsValid),
  query('searchReporter')
    .optional()
    .custom(exists),
  query('searchReportee')
    .optional()
    .custom(exists),
  query('searchVideo')
    .optional()
    .custom(exists),
  query('searchVideoChannel')
    .optional()
    .custom(exists),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return

    return next()
  }
]

const abuseListForUserValidator = [
  query('id')
    .optional()
    .custom(isIdValid),

  query('search')
    .optional()
    .custom(exists),

  query('state')
    .optional()
    .custom(isAbuseStateValid),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return

    return next()
  }
]

const getAbuseValidator = [
  param('id')
    .custom(isIdValid),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    const user = res.locals.oauth.token.user
    const abuse = res.locals.abuse

    if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuse.reporterAccountId !== user.Account.id) {
      const message = `User ${user.username} does not have right to get abuse ${abuse.id}`
      logger.warn(message)

      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
        message
      })
    }

    return next()
  }
]

const checkAbuseValidForMessagesValidator = [
  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    const abuse = res.locals.abuse
    if (abuse.ReporterAccount.isOwned() === false) {
      return res.fail({ message: 'This abuse was created by a user of your instance.' })
    }

    return next()
  }
]

const addAbuseMessageValidator = [
  body('message')
    .custom(isAbuseMessageValid),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return

    return next()
  }
]

const deleteAbuseMessageValidator = [
  param('messageId')
    .custom(isIdValid),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return

    const user = res.locals.oauth.token.user
    const abuse = res.locals.abuse

    const messageId = parseInt(req.params.messageId + '', 10)
    const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id)

    if (!abuseMessage) {
      return res.fail({
        status: HttpStatusCode.NOT_FOUND_404,
        message: 'Abuse message not found'
      })
    }

    if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuseMessage.accountId !== user.Account.id) {
      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
        message: 'Cannot delete this abuse message'
      })
    }

    res.locals.abuseMessage = abuseMessage

    return next()
  }
]

// ---------------------------------------------------------------------------

export {
  abuseListForAdminsValidator,
  abuseReportValidator,
  abuseGetValidator,
  addAbuseMessageValidator,
  checkAbuseValidForMessagesValidator,
  abuseUpdateValidator,
  deleteAbuseMessageValidator,
  abuseListForUserValidator,
  getAbuseValidator
}
Commit	Line	Data
41fb13c3	1	import express from 'express'
d95d1559 C	2	import { body, param, query } from 'express-validator'
d95d1559 C	3	import {
7a4ea932	4	areAbusePredefinedReasonsValid,
57f6896f	5	isAbuseFilterValid,
edbc9325	6	isAbuseMessageValid,
d95d1559	7	isAbuseModerationCommentValid,
d95d1559 C	8	isAbusePredefinedReasonValid,
	9	isAbuseReasonValid,
	10	isAbuseStateValid,
	11	isAbuseTimestampCoherent,
	12	isAbuseTimestampValid,
	13	isAbuseVideoIsValid
	14	} from '@server/helpers/custom-validators/abuses'
d4a8e7a6	15	import { exists, isIdOrUUIDValid, isIdValid, toCompleteUUID, toIntOrNull } from '@server/helpers/custom-validators/misc'
d95d1559	16	import { logger } from '@server/helpers/logger'
edbc9325 C	17	import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
edbc9325 C	18	import { AbuseCreate, UserRight } from '@shared/models'
c0e8b12e	19	import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
10363c74	20	import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared'
d95d1559 C	21
d95d1559 C	22	const abuseReportValidator = [
57f6896f C	23	body('account.id')
57f6896f C	24	.optional()
396f6f01	25	.custom(isIdValid),
57f6896f C	26
	27	body('video.id')
	28	.optional()
d4a8e7a6	29	.customSanitizer(toCompleteUUID)
396f6f01	30	.custom(isIdOrUUIDValid),
57f6896f	31	body('video.startAt')
d95d1559 C	32	.optional()
d95d1559 C	33	.customSanitizer(toIntOrNull)
396f6f01	34	.custom(isAbuseTimestampValid),
57f6896f	35	body('video.endAt')
d95d1559 C	36	.optional()
	37	.customSanitizer(toIntOrNull)
	38	.custom(isAbuseTimestampValid)
d95d1559 C	39	.bail()
	40	.custom(isAbuseTimestampCoherent)
	41	.withMessage('Should have a startAt timestamp beginning before endAt'),
	42
57f6896f C	43	body('comment.id')
57f6896f C	44	.optional()
396f6f01	45	.custom(isIdValid),
57f6896f C	46
57f6896f C	47	body('reason')
396f6f01	48	.custom(isAbuseReasonValid),
57f6896f C	49
	50	body('predefinedReasons')
	51	.optional()
396f6f01	52	.custom(areAbusePredefinedReasonsValid),
57f6896f	53
d95d1559	54	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
d95d1559	55	if (areValidationErrors(req, res)) return
d95d1559	56
57f6896f C	57	const body: AbuseCreate = req.body
	58
	59	if (body.video?.id && !await doesVideoExist(body.video.id, res)) return
	60	if (body.account?.id && !await doesAccountIdExist(body.account.id, res)) return
	61	if (body.comment?.id && !await doesCommentIdExist(body.comment.id, res)) return
	62
	63	if (!body.video?.id && !body.account?.id && !body.comment?.id) {
76148b27	64	res.fail({ message: 'video id or account id or comment id is required.' })
57f6896f C	65	return
57f6896f C	66	}
d95d1559 C	67
	68	return next()
	69	}
	70	]
	71
	72	const abuseGetValidator = [
396f6f01 C	73	param('id')
396f6f01 C	74	.custom(isIdValid),
d95d1559 C	75
d95d1559 C	76	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
d95d1559	77	if (areValidationErrors(req, res)) return
57f6896f	78	if (!await doesAbuseExist(req.params.id, res)) return
d95d1559 C	79
	80	return next()
	81	}
	82	]
	83
	84	const abuseUpdateValidator = [
396f6f01 C	85	param('id')
396f6f01 C	86	.custom(isIdValid),
57f6896f	87
d95d1559 C	88	body('state')
d95d1559 C	89	.optional()
396f6f01	90	.custom(isAbuseStateValid),
d95d1559 C	91	body('moderationComment')
d95d1559 C	92	.optional()
396f6f01	93	.custom(isAbuseModerationCommentValid),
d95d1559 C	94
d95d1559 C	95	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
d95d1559	96	if (areValidationErrors(req, res)) return
57f6896f	97	if (!await doesAbuseExist(req.params.id, res)) return
d95d1559 C	98
	99	return next()
	100	}
	101	]
	102
edbc9325	103	const abuseListForAdminsValidator = [
d95d1559 C	104	query('id')
d95d1559 C	105	.optional()
396f6f01	106	.custom(isIdValid),
57f6896f C	107	query('filter')
57f6896f C	108	.optional()
396f6f01	109	.custom(isAbuseFilterValid),
d95d1559 C	110	query('predefinedReason')
d95d1559 C	111	.optional()
396f6f01	112	.custom(isAbusePredefinedReasonValid),
d95d1559 C	113	query('search')
d95d1559 C	114	.optional()
396f6f01	115	.custom(exists),
d95d1559 C	116	query('state')
d95d1559 C	117	.optional()
396f6f01	118	.custom(isAbuseStateValid),
d95d1559 C	119	query('videoIs')
d95d1559 C	120	.optional()
396f6f01	121	.custom(isAbuseVideoIsValid),
d95d1559 C	122	query('searchReporter')
d95d1559 C	123	.optional()
396f6f01	124	.custom(exists),
d95d1559 C	125	query('searchReportee')
d95d1559 C	126	.optional()
396f6f01	127	.custom(exists),
d95d1559 C	128	query('searchVideo')
d95d1559 C	129	.optional()
396f6f01	130	.custom(exists),
d95d1559 C	131	query('searchVideoChannel')
d95d1559 C	132	.optional()
396f6f01	133	.custom(exists),
d95d1559 C	134
d95d1559 C	135	(req: express.Request, res: express.Response, next: express.NextFunction) => {
d95d1559 C	136	if (areValidationErrors(req, res)) return
	137
	138	return next()
	139	}
	140	]
	141
edbc9325 C	142	const abuseListForUserValidator = [
	143	query('id')
	144	.optional()
396f6f01	145	.custom(isIdValid),
edbc9325 C	146
	147	query('search')
	148	.optional()
396f6f01	149	.custom(exists),
edbc9325 C	150
	151	query('state')
	152	.optional()
396f6f01	153	.custom(isAbuseStateValid),
edbc9325 C	154
edbc9325 C	155	(req: express.Request, res: express.Response, next: express.NextFunction) => {
edbc9325 C	156	if (areValidationErrors(req, res)) return
	157
	158	return next()
	159	}
	160	]
	161
	162	const getAbuseValidator = [
396f6f01 C	163	param('id')
396f6f01 C	164	.custom(isIdValid),
edbc9325 C	165
edbc9325 C	166	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
edbc9325 C	167	if (areValidationErrors(req, res)) return
	168	if (!await doesAbuseExist(req.params.id, res)) return
	169
	170	const user = res.locals.oauth.token.user
	171	const abuse = res.locals.abuse
	172
	173	if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuse.reporterAccountId !== user.Account.id) {
	174	const message = `User ${user.username} does not have right to get abuse ${abuse.id}`
	175	logger.warn(message)
	176
76148b27 RK	177	return res.fail({
	178	status: HttpStatusCode.FORBIDDEN_403,
	179	message
	180	})
edbc9325 C	181	}
	182
	183	return next()
	184	}
	185	]
	186
94148c90 C	187	const checkAbuseValidForMessagesValidator = [
94148c90 C	188	(req: express.Request, res: express.Response, next: express.NextFunction) => {
94148c90 C	189	const abuse = res.locals.abuse
94148c90 C	190	if (abuse.ReporterAccount.isOwned() === false) {
76148b27	191	return res.fail({ message: 'This abuse was created by a user of your instance.' })
94148c90 C	192	}
	193
	194	return next()
	195	}
	196	]
	197
edbc9325	198	const addAbuseMessageValidator = [
396f6f01 C	199	body('message')
396f6f01 C	200	.custom(isAbuseMessageValid),
edbc9325 C	201
edbc9325 C	202	(req: express.Request, res: express.Response, next: express.NextFunction) => {
edbc9325 C	203	if (areValidationErrors(req, res)) return
	204
	205	return next()
	206	}
	207	]
	208
	209	const deleteAbuseMessageValidator = [
396f6f01 C	210	param('messageId')
396f6f01 C	211	.custom(isIdValid),
edbc9325 C	212
edbc9325 C	213	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
edbc9325 C	214	if (areValidationErrors(req, res)) return
	215
	216	const user = res.locals.oauth.token.user
	217	const abuse = res.locals.abuse
	218
	219	const messageId = parseInt(req.params.messageId + '', 10)
	220	const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id)
	221
	222	if (!abuseMessage) {
76148b27 RK	223	return res.fail({
	224	status: HttpStatusCode.NOT_FOUND_404,
	225	message: 'Abuse message not found'
	226	})
edbc9325 C	227	}
	228
	229	if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuseMessage.accountId !== user.Account.id) {
76148b27 RK	230	return res.fail({
	231	status: HttpStatusCode.FORBIDDEN_403,
	232	message: 'Cannot delete this abuse message'
	233	})
edbc9325 C	234	}
	235
	236	res.locals.abuseMessage = abuseMessage
	237
	238	return next()
	239	}
	240	]
	241
d95d1559 C	242	// ---------------------------------------------------------------------------
	243
	244	export {
edbc9325	245	abuseListForAdminsValidator,
d95d1559 C	246	abuseReportValidator,
d95d1559 C	247	abuseGetValidator,
edbc9325	248	addAbuseMessageValidator,
94148c90	249	checkAbuseValidForMessagesValidator,
d95d1559	250	abuseUpdateValidator,
edbc9325 C	251	deleteAbuseMessageValidator,
edbc9325 C	252	abuseListForUserValidator,
7a4ea932	253	getAbuseValidator
d95d1559	254	}