[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / shared / videos.ts

import { Request, Response } from 'express'
import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'
import { VideoModel } from '@server/models/video/video'
import { VideoChannelModel } from '@server/models/video/video-channel'
import { VideoFileModel } from '@server/models/video/video-file'
import {
  MUser,
  MUserAccountId,
  MVideo,
  MVideoAccountLight,
  MVideoFormattableDetails,
  MVideoFullLight,
  MVideoId,
  MVideoImmutable,
  MVideoThumbnail,
  MVideoWithRights
} from '@server/types/models'
import { HttpStatusCode, UserRight } from '@shared/models'

async function doesVideoExist (id: number | string, res: Response, fetchType: VideoLoadType = 'all') {
  const userId = res.locals.oauth ? res.locals.oauth.token.User.id : undefined

  const video = await loadVideo(id, fetchType, userId)

  if (video === null) {
    res.fail({
      status: HttpStatusCode.NOT_FOUND_404,
      message: 'Video not found'
    })
    return false
  }

  switch (fetchType) {
    case 'for-api':
      res.locals.videoAPI = video as MVideoFormattableDetails
      break

    case 'all':
      res.locals.videoAll = video as MVideoFullLight
      break

    case 'only-immutable-attributes':
      res.locals.onlyImmutableVideo = video as MVideoImmutable
      break

    case 'id':
      res.locals.videoId = video as MVideoId
      break

    case 'only-video':
      res.locals.onlyVideo = video as MVideoThumbnail
      break
  }

  return true
}

async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number | string, res: Response) {
  if (!await VideoFileModel.doesVideoExistForVideoFile(id, videoIdOrUUID)) {
    res.fail({
      status: HttpStatusCode.NOT_FOUND_404,
      message: 'VideoFile matching Video not found'
    })
    return false
  }

  return true
}

async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAccountId, res: Response) {
  const videoChannel = await VideoChannelModel.loadAndPopulateAccount(channelId)

  if (videoChannel === null) {
    res.fail({ message: 'Unknown video "video channel" for this instance.' })
    return false
  }

  // Don't check account id if the user can update any video
  if (user.hasRight(UserRight.UPDATE_ANY_VIDEO) === true) {
    res.locals.videoChannel = videoChannel
    return true
  }

  if (videoChannel.Account.id !== user.Account.id) {
    res.fail({
      message: 'Unknown video "video channel" for this account.'
    })
    return false
  }

  res.locals.videoChannel = videoChannel
  return true
}

async function checkCanSeeVideoIfPrivate (req: Request, res: Response, video: MVideo, authenticateInQuery = false) {
  if (!video.requiresAuth()) return true

  const videoWithRights = await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id)

  return checkCanSeePrivateVideo(req, res, videoWithRights, authenticateInQuery)
}

async function checkCanSeePrivateVideo (req: Request, res: Response, video: MVideoWithRights, authenticateInQuery = false) {
  await authenticatePromiseIfNeeded(req, res, authenticateInQuery)

  const user = res.locals.oauth ? res.locals.oauth.token.User : null

  // Only the owner or a user that have blocklist rights can see the video
  if (!user || !user.canGetVideo(video)) {
    return false
  }

  return true
}

function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
  // Retrieve the user who did the request
  if (onlyOwned && video.isOwned() === false) {
    res.fail({
      status: HttpStatusCode.FORBIDDEN_403,
      message: 'Cannot manage a video of another server.'
    })
    return false
  }

  // Check if the user can delete the video
  // The user can delete it if he has the right
  // Or if s/he is the video's account
  const account = video.VideoChannel.Account
  if (user.hasRight(right) === false && account.userId !== user.id) {
    res.fail({
      status: HttpStatusCode.FORBIDDEN_403,
      message: 'Cannot manage a video of another user.'
    })
    return false
  }

  return true
}

// ---------------------------------------------------------------------------

export {
  doesVideoChannelOfAccountExist,
  doesVideoExist,
  doesVideoFileOfVideoExist,
  checkUserCanManageVideo,
  checkCanSeeVideoIfPrivate,
  checkCanSeePrivateVideo
}
Commit	Line	Data
795212f7	1	import { Request, Response } from 'express'
868fce62	2	import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
795212f7 C	3	import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'
795212f7 C	4	import { VideoModel } from '@server/models/video/video'
10363c74 C	5	import { VideoChannelModel } from '@server/models/video/video-channel'
10363c74 C	6	import { VideoFileModel } from '@server/models/video/video-file'
7eba5e1f C	7	import {
	8	MUser,
	9	MUserAccountId,
795212f7	10	MVideo,
7eba5e1f	11	MVideoAccountLight,
ca4b4b2e	12	MVideoFormattableDetails,
7eba5e1f	13	MVideoFullLight,
71d4af1e	14	MVideoId,
7eba5e1f	15	MVideoImmutable,
795212f7 C	16	MVideoThumbnail,
795212f7 C	17	MVideoWithRights
26d6bf65	18	} from '@server/types/models'
4c7e60bc	19	import { HttpStatusCode, UserRight } from '@shared/models'
3e753302	20
868fce62	21	async function doesVideoExist (id: number \| string, res: Response, fetchType: VideoLoadType = 'all') {
3e753302 C	22	const userId = res.locals.oauth ? res.locals.oauth.token.User.id : undefined
3e753302 C	23
868fce62	24	const video = await loadVideo(id, fetchType, userId)
3e753302 C	25
3e753302 C	26	if (video === null) {
76148b27 RK	27	res.fail({
	28	status: HttpStatusCode.NOT_FOUND_404,
	29	message: 'Video not found'
	30	})
3e753302 C	31	return false
	32	}
	33
453e83ea	34	switch (fetchType) {
ca4b4b2e C	35	case 'for-api':
	36	res.locals.videoAPI = video as MVideoFormattableDetails
	37	break
	38
453e83ea C	39	case 'all':
	40	res.locals.videoAll = video as MVideoFullLight
	41	break
	42
7eba5e1f C	43	case 'only-immutable-attributes':
	44	res.locals.onlyImmutableVideo = video as MVideoImmutable
	45	break
	46
453e83ea	47	case 'id':
71d4af1e	48	res.locals.videoId = video as MVideoId
453e83ea C	49	break
	50
	51	case 'only-video':
0283eaac	52	res.locals.onlyVideo = video as MVideoThumbnail
453e83ea	53	break
453e83ea C	54	}
453e83ea C	55
3e753302 C	56	return true
	57	}
	58
8319d6ae RK	59	async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number \| string, res: Response) {
8319d6ae RK	60	if (!await VideoFileModel.doesVideoExistForVideoFile(id, videoIdOrUUID)) {
76148b27 RK	61	res.fail({
	62	status: HttpStatusCode.NOT_FOUND_404,
	63	message: 'VideoFile matching Video not found'
	64	})
8319d6ae RK	65	return false
	66	}
	67
	68	return true
	69	}
	70
453e83ea	71	async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAccountId, res: Response) {
2cb03dc1	72	const videoChannel = await VideoChannelModel.loadAndPopulateAccount(channelId)
3e753302	73
2cb03dc1	74	if (videoChannel === null) {
76148b27	75	res.fail({ message: 'Unknown video "video channel" for this instance.' })
2cb03dc1 C	76	return false
	77	}
	78
	79	// Don't check account id if the user can update any video
	80	if (user.hasRight(UserRight.UPDATE_ANY_VIDEO) === true) {
3e753302 C	81	res.locals.videoChannel = videoChannel
	82	return true
	83	}
	84
2cb03dc1	85	if (videoChannel.Account.id !== user.Account.id) {
76148b27 RK	86	res.fail({
	87	message: 'Unknown video "video channel" for this account.'
	88	})
3e753302 C	89	return false
	90	}
	91
	92	res.locals.videoChannel = videoChannel
	93	return true
	94	}
	95
795212f7 C	96	async function checkCanSeeVideoIfPrivate (req: Request, res: Response, video: MVideo, authenticateInQuery = false) {
	97	if (!video.requiresAuth()) return true
	98
	99	const videoWithRights = await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id)
	100
	101	return checkCanSeePrivateVideo(req, res, videoWithRights, authenticateInQuery)
	102	}
	103
	104	async function checkCanSeePrivateVideo (req: Request, res: Response, video: MVideoWithRights, authenticateInQuery = false) {
	105	await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
	106
	107	const user = res.locals.oauth ? res.locals.oauth.token.User : null
	108
	109	// Only the owner or a user that have blocklist rights can see the video
	110	if (!user \|\| !user.canGetVideo(video)) {
	111	return false
	112	}
	113
	114	return true
	115	}
	116
af4ae64f	117	function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
3e753302	118	// Retrieve the user who did the request
af4ae64f	119	if (onlyOwned && video.isOwned() === false) {
76148b27 RK	120	res.fail({
	121	status: HttpStatusCode.FORBIDDEN_403,
	122	message: 'Cannot manage a video of another server.'
	123	})
3e753302 C	124	return false
	125	}
	126
	127	// Check if the user can delete the video
	128	// The user can delete it if he has the right
	129	// Or if s/he is the video's account
	130	const account = video.VideoChannel.Account
	131	if (user.hasRight(right) === false && account.userId !== user.id) {
76148b27 RK	132	res.fail({
	133	status: HttpStatusCode.FORBIDDEN_403,
	134	message: 'Cannot manage a video of another user.'
	135	})
3e753302 C	136	return false
	137	}
	138
	139	return true
	140	}
	141
	142	// ---------------------------------------------------------------------------
	143
	144	export {
	145	doesVideoChannelOfAccountExist,
	146	doesVideoExist,
8319d6ae	147	doesVideoFileOfVideoExist,
795212f7 C	148	checkUserCanManageVideo,
	149	checkCanSeeVideoIfPrivate,
	150	checkCanSeePrivateVideo
3e753302	151	}