[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / abuse.ts

import express from 'express'
import { body, param, query } from 'express-validator'
import {
  areAbusePredefinedReasonsValid,
  isAbuseFilterValid,
  isAbuseMessageValid,
  isAbuseModerationCommentValid,
  isAbusePredefinedReasonValid,
  isAbuseReasonValid,
  isAbuseStateValid,
  isAbuseTimestampCoherent,
  isAbuseTimestampValid,
  isAbuseVideoIsValid
} from '@server/helpers/custom-validators/abuses'
import { exists, isIdOrUUIDValid, isIdValid, toCompleteUUID, toIntOrNull } from '@server/helpers/custom-validators/misc'
import { logger } from '@server/helpers/logger'
import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
import { AbuseCreate, UserRight } from '@shared/models'
import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared'

const abuseReportValidator = [
  body('account.id')
    .optional()
    .custom(isIdValid),

  body('video.id')
    .optional()
    .customSanitizer(toCompleteUUID)
    .custom(isIdOrUUIDValid),
  body('video.startAt')
    .optional()
    .customSanitizer(toIntOrNull)
    .custom(isAbuseTimestampValid),
  body('video.endAt')
    .optional()
    .customSanitizer(toIntOrNull)
    .custom(isAbuseTimestampValid)
    .bail()
    .custom(isAbuseTimestampCoherent)
    .withMessage('Should have a startAt timestamp beginning before endAt'),

  body('comment.id')
    .optional()
    .custom(isIdValid),

  body('reason')
    .custom(isAbuseReasonValid),

  body('predefinedReasons')
    .optional()
    .custom(areAbusePredefinedReasonsValid),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseReport parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    const body: AbuseCreate = req.body

    if (body.video?.id && !await doesVideoExist(body.video.id, res)) return
    if (body.account?.id && !await doesAccountIdExist(body.account.id, res)) return
    if (body.comment?.id && !await doesCommentIdExist(body.comment.id, res)) return

    if (!body.video?.id && !body.account?.id && !body.comment?.id) {
      res.fail({ message: 'video id or account id or comment id is required.' })
      return
    }

    return next()
  }
]

const abuseGetValidator = [
  param('id')
    .custom(isIdValid),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseGetValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    return next()
  }
]

const abuseUpdateValidator = [
  param('id')
    .custom(isIdValid),

  body('state')
    .optional()
    .custom(isAbuseStateValid),
  body('moderationComment')
    .optional()
    .custom(isAbuseModerationCommentValid),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseUpdateValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    return next()
  }
]

const abuseListForAdminsValidator = [
  query('id')
    .optional()
    .custom(isIdValid),
  query('filter')
    .optional()
    .custom(isAbuseFilterValid),
  query('predefinedReason')
    .optional()
    .custom(isAbusePredefinedReasonValid),
  query('search')
    .optional()
    .custom(exists),
  query('state')
    .optional()
    .custom(isAbuseStateValid),
  query('videoIs')
    .optional()
    .custom(isAbuseVideoIsValid),
  query('searchReporter')
    .optional()
    .custom(exists),
  query('searchReportee')
    .optional()
    .custom(exists),
  query('searchVideo')
    .optional()
    .custom(exists),
  query('searchVideoChannel')
    .optional()
    .custom(exists),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseListForAdminsValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const abuseListForUserValidator = [
  query('id')
    .optional()
    .custom(isIdValid),

  query('search')
    .optional()
    .custom(exists),

  query('state')
    .optional()
    .custom(isAbuseStateValid),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseListForUserValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const getAbuseValidator = [
  param('id')
    .custom(isIdValid),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking getAbuseValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    const user = res.locals.oauth.token.user
    const abuse = res.locals.abuse

    if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuse.reporterAccountId !== user.Account.id) {
      const message = `User ${user.username} does not have right to get abuse ${abuse.id}`
      logger.warn(message)

      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
        message
      })
    }

    return next()
  }
]

const checkAbuseValidForMessagesValidator = [
  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking checkAbuseValidForMessagesValidator parameters', { parameters: req.body })

    const abuse = res.locals.abuse
    if (abuse.ReporterAccount.isOwned() === false) {
      return res.fail({ message: 'This abuse was created by a user of your instance.' })
    }

    return next()
  }
]

const addAbuseMessageValidator = [
  body('message')
    .custom(isAbuseMessageValid),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking addAbuseMessageValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const deleteAbuseMessageValidator = [
  param('messageId')
    .custom(isIdValid),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking deleteAbuseMessageValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    const user = res.locals.oauth.token.user
    const abuse = res.locals.abuse

    const messageId = parseInt(req.params.messageId + '', 10)
    const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id)

    if (!abuseMessage) {
      return res.fail({
        status: HttpStatusCode.NOT_FOUND_404,
        message: 'Abuse message not found'
      })
    }

    if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuseMessage.accountId !== user.Account.id) {
      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
        message: 'Cannot delete this abuse message'
      })
    }

    res.locals.abuseMessage = abuseMessage

    return next()
  }
]

// ---------------------------------------------------------------------------

export {
  abuseListForAdminsValidator,
  abuseReportValidator,
  abuseGetValidator,
  addAbuseMessageValidator,
  checkAbuseValidForMessagesValidator,
  abuseUpdateValidator,
  deleteAbuseMessageValidator,
  abuseListForUserValidator,
  getAbuseValidator
}
Commit	Line	Data
41fb13c3	1	import express from 'express'
d95d1559 C	2	import { body, param, query } from 'express-validator'
d95d1559 C	3	import {
7a4ea932	4	areAbusePredefinedReasonsValid,
57f6896f	5	isAbuseFilterValid,
edbc9325	6	isAbuseMessageValid,
d95d1559	7	isAbuseModerationCommentValid,
d95d1559 C	8	isAbusePredefinedReasonValid,
	9	isAbuseReasonValid,
	10	isAbuseStateValid,
	11	isAbuseTimestampCoherent,
	12	isAbuseTimestampValid,
	13	isAbuseVideoIsValid
	14	} from '@server/helpers/custom-validators/abuses'
d4a8e7a6	15	import { exists, isIdOrUUIDValid, isIdValid, toCompleteUUID, toIntOrNull } from '@server/helpers/custom-validators/misc'
d95d1559	16	import { logger } from '@server/helpers/logger'
edbc9325 C	17	import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
edbc9325 C	18	import { AbuseCreate, UserRight } from '@shared/models'
c0e8b12e	19	import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
10363c74	20	import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared'
d95d1559 C	21
d95d1559 C	22	const abuseReportValidator = [
57f6896f C	23	body('account.id')
57f6896f C	24	.optional()
396f6f01	25	.custom(isIdValid),
57f6896f C	26
	27	body('video.id')
	28	.optional()
d4a8e7a6	29	.customSanitizer(toCompleteUUID)
396f6f01	30	.custom(isIdOrUUIDValid),
57f6896f	31	body('video.startAt')
d95d1559 C	32	.optional()
d95d1559 C	33	.customSanitizer(toIntOrNull)
396f6f01	34	.custom(isAbuseTimestampValid),
57f6896f	35	body('video.endAt')
d95d1559 C	36	.optional()
	37	.customSanitizer(toIntOrNull)
	38	.custom(isAbuseTimestampValid)
d95d1559 C	39	.bail()
	40	.custom(isAbuseTimestampCoherent)
	41	.withMessage('Should have a startAt timestamp beginning before endAt'),
	42
57f6896f C	43	body('comment.id')
57f6896f C	44	.optional()
396f6f01	45	.custom(isIdValid),
57f6896f C	46
57f6896f C	47	body('reason')
396f6f01	48	.custom(isAbuseReasonValid),
57f6896f C	49
	50	body('predefinedReasons')
	51	.optional()
396f6f01	52	.custom(areAbusePredefinedReasonsValid),
57f6896f	53
d95d1559 C	54	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	55	logger.debug('Checking abuseReport parameters', { parameters: req.body })
	56
	57	if (areValidationErrors(req, res)) return
d95d1559	58
57f6896f C	59	const body: AbuseCreate = req.body
	60
	61	if (body.video?.id && !await doesVideoExist(body.video.id, res)) return
	62	if (body.account?.id && !await doesAccountIdExist(body.account.id, res)) return
	63	if (body.comment?.id && !await doesCommentIdExist(body.comment.id, res)) return
	64
	65	if (!body.video?.id && !body.account?.id && !body.comment?.id) {
76148b27	66	res.fail({ message: 'video id or account id or comment id is required.' })
57f6896f C	67	return
57f6896f C	68	}
d95d1559 C	69
	70	return next()
	71	}
	72	]
	73
	74	const abuseGetValidator = [
396f6f01 C	75	param('id')
396f6f01 C	76	.custom(isIdValid),
d95d1559 C	77
	78	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	79	logger.debug('Checking abuseGetValidator parameters', { parameters: req.body })
	80
	81	if (areValidationErrors(req, res)) return
57f6896f	82	if (!await doesAbuseExist(req.params.id, res)) return
d95d1559 C	83
	84	return next()
	85	}
	86	]
	87
	88	const abuseUpdateValidator = [
396f6f01 C	89	param('id')
396f6f01 C	90	.custom(isIdValid),
57f6896f	91
d95d1559 C	92	body('state')
d95d1559 C	93	.optional()
396f6f01	94	.custom(isAbuseStateValid),
d95d1559 C	95	body('moderationComment')
d95d1559 C	96	.optional()
396f6f01	97	.custom(isAbuseModerationCommentValid),
d95d1559 C	98
	99	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	100	logger.debug('Checking abuseUpdateValidator parameters', { parameters: req.body })
	101
	102	if (areValidationErrors(req, res)) return
57f6896f	103	if (!await doesAbuseExist(req.params.id, res)) return
d95d1559 C	104
	105	return next()
	106	}
	107	]
	108
edbc9325	109	const abuseListForAdminsValidator = [
d95d1559 C	110	query('id')
d95d1559 C	111	.optional()
396f6f01	112	.custom(isIdValid),
57f6896f C	113	query('filter')
57f6896f C	114	.optional()
396f6f01	115	.custom(isAbuseFilterValid),
d95d1559 C	116	query('predefinedReason')
d95d1559 C	117	.optional()
396f6f01	118	.custom(isAbusePredefinedReasonValid),
d95d1559 C	119	query('search')
d95d1559 C	120	.optional()
396f6f01	121	.custom(exists),
d95d1559 C	122	query('state')
d95d1559 C	123	.optional()
396f6f01	124	.custom(isAbuseStateValid),
d95d1559 C	125	query('videoIs')
d95d1559 C	126	.optional()
396f6f01	127	.custom(isAbuseVideoIsValid),
d95d1559 C	128	query('searchReporter')
d95d1559 C	129	.optional()
396f6f01	130	.custom(exists),
d95d1559 C	131	query('searchReportee')
d95d1559 C	132	.optional()
396f6f01	133	.custom(exists),
d95d1559 C	134	query('searchVideo')
d95d1559 C	135	.optional()
396f6f01	136	.custom(exists),
d95d1559 C	137	query('searchVideoChannel')
d95d1559 C	138	.optional()
396f6f01	139	.custom(exists),
d95d1559 C	140
d95d1559 C	141	(req: express.Request, res: express.Response, next: express.NextFunction) => {
edbc9325	142	logger.debug('Checking abuseListForAdminsValidator parameters', { parameters: req.body })
d95d1559 C	143
	144	if (areValidationErrors(req, res)) return
	145
	146	return next()
	147	}
	148	]
	149
edbc9325 C	150	const abuseListForUserValidator = [
	151	query('id')
	152	.optional()
396f6f01	153	.custom(isIdValid),
edbc9325 C	154
	155	query('search')
	156	.optional()
396f6f01	157	.custom(exists),
edbc9325 C	158
	159	query('state')
	160	.optional()
396f6f01	161	.custom(isAbuseStateValid),
edbc9325 C	162
	163	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	164	logger.debug('Checking abuseListForUserValidator parameters', { parameters: req.body })
	165
	166	if (areValidationErrors(req, res)) return
	167
	168	return next()
	169	}
	170	]
	171
	172	const getAbuseValidator = [
396f6f01 C	173	param('id')
396f6f01 C	174	.custom(isIdValid),
edbc9325 C	175
	176	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	177	logger.debug('Checking getAbuseValidator parameters', { parameters: req.body })
	178
	179	if (areValidationErrors(req, res)) return
	180	if (!await doesAbuseExist(req.params.id, res)) return
	181
	182	const user = res.locals.oauth.token.user
	183	const abuse = res.locals.abuse
	184
	185	if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuse.reporterAccountId !== user.Account.id) {
	186	const message = `User ${user.username} does not have right to get abuse ${abuse.id}`
	187	logger.warn(message)
	188
76148b27 RK	189	return res.fail({
	190	status: HttpStatusCode.FORBIDDEN_403,
	191	message
	192	})
edbc9325 C	193	}
	194
	195	return next()
	196	}
	197	]
	198
94148c90 C	199	const checkAbuseValidForMessagesValidator = [
	200	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	201	logger.debug('Checking checkAbuseValidForMessagesValidator parameters', { parameters: req.body })
	202
	203	const abuse = res.locals.abuse
	204	if (abuse.ReporterAccount.isOwned() === false) {
76148b27	205	return res.fail({ message: 'This abuse was created by a user of your instance.' })
94148c90 C	206	}
	207
	208	return next()
	209	}
	210	]
	211
edbc9325	212	const addAbuseMessageValidator = [
396f6f01 C	213	body('message')
396f6f01 C	214	.custom(isAbuseMessageValid),
edbc9325 C	215
	216	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	217	logger.debug('Checking addAbuseMessageValidator parameters', { parameters: req.body })
	218
	219	if (areValidationErrors(req, res)) return
	220
	221	return next()
	222	}
	223	]
	224
	225	const deleteAbuseMessageValidator = [
396f6f01 C	226	param('messageId')
396f6f01 C	227	.custom(isIdValid),
edbc9325 C	228
	229	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	230	logger.debug('Checking deleteAbuseMessageValidator parameters', { parameters: req.body })
	231
	232	if (areValidationErrors(req, res)) return
	233
	234	const user = res.locals.oauth.token.user
	235	const abuse = res.locals.abuse
	236
	237	const messageId = parseInt(req.params.messageId + '', 10)
	238	const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id)
	239
	240	if (!abuseMessage) {
76148b27 RK	241	return res.fail({
	242	status: HttpStatusCode.NOT_FOUND_404,
	243	message: 'Abuse message not found'
	244	})
edbc9325 C	245	}
	246
	247	if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuseMessage.accountId !== user.Account.id) {
76148b27 RK	248	return res.fail({
	249	status: HttpStatusCode.FORBIDDEN_403,
	250	message: 'Cannot delete this abuse message'
	251	})
edbc9325 C	252	}
	253
	254	res.locals.abuseMessage = abuseMessage
	255
	256	return next()
	257	}
	258	]
	259
d95d1559 C	260	// ---------------------------------------------------------------------------
	261
	262	export {
edbc9325	263	abuseListForAdminsValidator,
d95d1559 C	264	abuseReportValidator,
d95d1559 C	265	abuseGetValidator,
edbc9325	266	addAbuseMessageValidator,
94148c90	267	checkAbuseValidForMessagesValidator,
d95d1559	268	abuseUpdateValidator,
edbc9325 C	269	deleteAbuseMessageValidator,
edbc9325 C	270	abuseListForUserValidator,
7a4ea932	271	getAbuseValidator
d95d1559	272	}