[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / video-channels.ts

import * as express from 'express'
import { body, param } from 'express-validator/check'
import { UserRight } from '../../../shared'
import { isAccountIdExist } from '../../helpers/custom-validators/accounts'
import { isIdOrUUIDValid } from '../../helpers/custom-validators/misc'
import {
  isVideoChannelDescriptionValid, isVideoChannelExist,
  isVideoChannelNameValid, isVideoChannelSupportValid
} from '../../helpers/custom-validators/video-channels'
import { logger } from '../../helpers/logger'
import { UserModel } from '../../models/account/user'
import { VideoChannelModel } from '../../models/video/video-channel'
import { areValidationErrors } from './utils'
import { AccountModel } from '../../models/account/account'

const listVideoAccountChannelsValidator = [
  param('accountId').custom(isIdOrUUIDValid).withMessage('Should have a valid account id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking listVideoAccountChannelsValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await isAccountIdExist(req.params.accountId, res)) return

    return next()
  }
]

const videoChannelsAddValidator = [
  param('accountId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid account id'),
  body('name').custom(isVideoChannelNameValid).withMessage('Should have a valid name'),
  body('description').optional().custom(isVideoChannelDescriptionValid).withMessage('Should have a valid description'),
  body('support').optional().custom(isVideoChannelSupportValid).withMessage('Should have a valid support text'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videoChannelsAdd parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const videoChannelsUpdateValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
  param('accountId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid account id'),
  body('name').optional().custom(isVideoChannelNameValid).withMessage('Should have a valid name'),
  body('description').optional().custom(isVideoChannelDescriptionValid).withMessage('Should have a valid description'),
  body('support').optional().custom(isVideoChannelSupportValid).withMessage('Should have a valid support text'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videoChannelsUpdate parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await isAccountIdExist(req.params.accountId, res)) return
    if (!await isVideoChannelExist(req.params.id, res)) return
    if (!checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return

    // We need to make additional checks
    if (res.locals.videoChannel.Actor.isOwned() === false) {
      return res.status(403)
        .json({ error: 'Cannot update video channel of another server' })
        .end()
    }

    if (res.locals.videoChannel.Account.userId !== res.locals.oauth.token.User.id) {
      return res.status(403)
        .json({ error: 'Cannot update video channel of another user' })
        .end()
    }

    return next()
  }
]

const videoChannelsRemoveValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
  param('accountId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid account id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videoChannelsRemove parameters', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await isAccountIdExist(req.params.accountId, res)) return
    if (!await isVideoChannelExist(req.params.id, res)) return

    if (!checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return
    // Check if the user who did the request is able to delete the video
    if (!checkUserCanDeleteVideoChannel(res.locals.oauth.token.User, res.locals.videoChannel, res)) return
    if (!await checkVideoChannelIsNotTheLastOne(res)) return

    return next()
  }
]

const videoChannelsGetValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
  param('accountId').optional().custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid account id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videoChannelsGet parameters', { parameters: req.params })

    if (areValidationErrors(req, res)) return

    // On some routes, accountId is optional (for example in the ActivityPub route)
    if (req.params.accountId && !await isAccountIdExist(req.params.accountId, res)) return
    if (!await isVideoChannelExist(req.params.id, res)) return

    if (res.locals.account && !checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return

    return next()
  }
]

// ---------------------------------------------------------------------------

export {
  listVideoAccountChannelsValidator,
  videoChannelsAddValidator,
  videoChannelsUpdateValidator,
  videoChannelsRemoveValidator,
  videoChannelsGetValidator
}

// ---------------------------------------------------------------------------

function checkUserCanDeleteVideoChannel (user: UserModel, videoChannel: VideoChannelModel, res: express.Response) {
  if (videoChannel.Actor.isOwned() === false) {
    res.status(403)
              .json({ error: 'Cannot remove video channel of another server.' })
              .end()

    return false
  }

  // Check if the user can delete the video channel
  // The user can delete it if s/he is an admin
  // Or if s/he is the video channel's account
  if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_CHANNEL) === false && videoChannel.Account.userId !== user.id) {
    res.status(403)
              .json({ error: 'Cannot remove video channel of another user' })
              .end()

    return false
  }

  return true
}

async function checkVideoChannelIsNotTheLastOne (res: express.Response) {
  const count = await VideoChannelModel.countByAccount(res.locals.oauth.token.User.Account.id)

  if (count <= 1) {
    res.status(409)
      .json({ error: 'Cannot remove the last channel of this user' })
      .end()

    return false
  }

  return true
}

function checkAccountOwnsVideoChannel (account: AccountModel, videoChannel: VideoChannelModel, res: express.Response) {
  if (videoChannel.Account.id !== account.id) {
    res.status(400)
              .json({ error: 'This account does not own this video channel' })
              .end()

    return false
  }

  return true
}
Commit	Line	Data
72c7248b	1	import * as express from 'express'
d4f1e94c C	2	import { body, param } from 'express-validator/check'
d4f1e94c C	3	import { UserRight } from '../../../shared'
3fd3ab2d	4	import { isAccountIdExist } from '../../helpers/custom-validators/accounts'
50d6de9c	5	import { isIdOrUUIDValid } from '../../helpers/custom-validators/misc'
4e50b6a1	6	import {
da854ddd	7	isVideoChannelDescriptionValid, isVideoChannelExist,
2422c46b	8	isVideoChannelNameValid, isVideoChannelSupportValid
4e50b6a1	9	} from '../../helpers/custom-validators/video-channels'
da854ddd	10	import { logger } from '../../helpers/logger'
3fd3ab2d C	11	import { UserModel } from '../../models/account/user'
3fd3ab2d C	12	import { VideoChannelModel } from '../../models/video/video-channel'
a2431b7d	13	import { areValidationErrors } from './utils'
6b738c7a	14	import { AccountModel } from '../../models/account/account'
72c7248b	15
38fa2065 C	16	const listVideoAccountChannelsValidator = [
38fa2065 C	17	param('accountId').custom(isIdOrUUIDValid).withMessage('Should have a valid account id'),
72c7248b	18
a2431b7d	19	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
38fa2065	20	logger.debug('Checking listVideoAccountChannelsValidator parameters', { parameters: req.body })
72c7248b	21
a2431b7d C	22	if (areValidationErrors(req, res)) return
	23	if (!await isAccountIdExist(req.params.accountId, res)) return
	24
	25	return next()
72c7248b C	26	}
	27	]
	28
	29	const videoChannelsAddValidator = [
48dce1c9	30	param('accountId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid account id'),
72c7248b	31	body('name').custom(isVideoChannelNameValid).withMessage('Should have a valid name'),
2422c46b C	32	body('description').optional().custom(isVideoChannelDescriptionValid).withMessage('Should have a valid description'),
2422c46b C	33	body('support').optional().custom(isVideoChannelSupportValid).withMessage('Should have a valid support text'),
72c7248b C	34
	35	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	36	logger.debug('Checking videoChannelsAdd parameters', { parameters: req.body })
	37
a2431b7d C	38	if (areValidationErrors(req, res)) return
	39
	40	return next()
72c7248b C	41	}
	42	]
	43
	44	const videoChannelsUpdateValidator = [
	45	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
48dce1c9	46	param('accountId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid account id'),
72c7248b C	47	body('name').optional().custom(isVideoChannelNameValid).withMessage('Should have a valid name'),
72c7248b C	48	body('description').optional().custom(isVideoChannelDescriptionValid).withMessage('Should have a valid description'),
2422c46b	49	body('support').optional().custom(isVideoChannelSupportValid).withMessage('Should have a valid support text'),
72c7248b	50
a2431b7d	51	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
72c7248b C	52	logger.debug('Checking videoChannelsUpdate parameters', { parameters: req.body })
72c7248b C	53
a2431b7d	54	if (areValidationErrors(req, res)) return
48dce1c9	55	if (!await isAccountIdExist(req.params.accountId, res)) return
a2431b7d	56	if (!await isVideoChannelExist(req.params.id, res)) return
6b738c7a	57	if (!checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return
a2431b7d C	58
a2431b7d C	59	// We need to make additional checks
d50acfab	60	if (res.locals.videoChannel.Actor.isOwned() === false) {
a2431b7d C	61	return res.status(403)
	62	.json({ error: 'Cannot update video channel of another server' })
	63	.end()
	64	}
	65
	66	if (res.locals.videoChannel.Account.userId !== res.locals.oauth.token.User.id) {
	67	return res.status(403)
	68	.json({ error: 'Cannot update video channel of another user' })
	69	.end()
	70	}
	71
	72	return next()
72c7248b C	73	}
	74	]
	75
	76	const videoChannelsRemoveValidator = [
	77	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
48dce1c9	78	param('accountId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid account id'),
72c7248b	79
a2431b7d	80	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
72c7248b C	81	logger.debug('Checking videoChannelsRemove parameters', { parameters: req.params })
72c7248b C	82
a2431b7d	83	if (areValidationErrors(req, res)) return
48dce1c9	84	if (!await isAccountIdExist(req.params.accountId, res)) return
a2431b7d C	85	if (!await isVideoChannelExist(req.params.id, res)) return
a2431b7d C	86
6b738c7a	87	if (!checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return
a2431b7d	88	// Check if the user who did the request is able to delete the video
d48ff09d	89	if (!checkUserCanDeleteVideoChannel(res.locals.oauth.token.User, res.locals.videoChannel, res)) return
a2431b7d C	90	if (!await checkVideoChannelIsNotTheLastOne(res)) return
	91
	92	return next()
72c7248b C	93	}
	94	]
	95
20494f12	96	const videoChannelsGetValidator = [
72c7248b	97	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
48dce1c9	98	param('accountId').optional().custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid account id'),
72c7248b	99
a2431b7d	100	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
72c7248b C	101	logger.debug('Checking videoChannelsGet parameters', { parameters: req.params })
72c7248b C	102
a2431b7d	103	if (areValidationErrors(req, res)) return
6b738c7a	104
48dce1c9 C	105	// On some routes, accountId is optional (for example in the ActivityPub route)
48dce1c9 C	106	if (req.params.accountId && !await isAccountIdExist(req.params.accountId, res)) return
a2431b7d C	107	if (!await isVideoChannelExist(req.params.id, res)) return
a2431b7d C	108
6b738c7a C	109	if (res.locals.account && !checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return
6b738c7a C	110
a2431b7d	111	return next()
72c7248b C	112	}
	113	]
	114
	115	// ---------------------------------------------------------------------------
	116
	117	export {
38fa2065	118	listVideoAccountChannelsValidator,
72c7248b C	119	videoChannelsAddValidator,
	120	videoChannelsUpdateValidator,
	121	videoChannelsRemoveValidator,
50d6de9c	122	videoChannelsGetValidator
72c7248b C	123	}
	124
	125	// ---------------------------------------------------------------------------
	126
3fd3ab2d	127	function checkUserCanDeleteVideoChannel (user: UserModel, videoChannel: VideoChannelModel, res: express.Response) {
50d6de9c	128	if (videoChannel.Actor.isOwned() === false) {
a2431b7d	129	res.status(403)
60862425	130	.json({ error: 'Cannot remove video channel of another server.' })
72c7248b	131	.end()
a2431b7d C	132
a2431b7d C	133	return false
72c7248b C	134	}
	135
	136	// Check if the user can delete the video channel
	137	// The user can delete it if s/he is an admin
38fa2065	138	// Or if s/he is the video channel's account
a2431b7d C	139	if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_CHANNEL) === false && videoChannel.Account.userId !== user.id) {
a2431b7d C	140	res.status(403)
72c7248b C	141	.json({ error: 'Cannot remove video channel of another user' })
72c7248b C	142	.end()
a2431b7d C	143
a2431b7d C	144	return false
72c7248b C	145	}
72c7248b C	146
a2431b7d	147	return true
72c7248b C	148	}
72c7248b C	149
a2431b7d	150	async function checkVideoChannelIsNotTheLastOne (res: express.Response) {
3fd3ab2d	151	const count = await VideoChannelModel.countByAccount(res.locals.oauth.token.User.Account.id)
a2431b7d C	152
	153	if (count <= 1) {
	154	res.status(409)
	155	.json({ error: 'Cannot remove the last channel of this user' })
	156	.end()
	157
	158	return false
	159	}
	160
	161	return true
72c7248b	162	}
6b738c7a C	163
	164	function checkAccountOwnsVideoChannel (account: AccountModel, videoChannel: VideoChannelModel, res: express.Response) {
	165	if (videoChannel.Account.id !== account.id) {
	166	res.status(400)
	167	.json({ error: 'This account does not own this video channel' })
	168	.end()
	169
	170	return false
	171	}
	172
	173	return true
	174	}