[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / videos / video-comments.ts

import express from 'express'
import { body, param, query } from 'express-validator'
import { MUserAccountUrl } from '@server/types/models'
import { HttpStatusCode, UserRight } from '@shared/models'
import { exists, isBooleanValid, isIdValid, toBooleanOrNull } from '../../../helpers/custom-validators/misc'
import { isValidVideoCommentText } from '../../../helpers/custom-validators/video-comments'
import { logger } from '../../../helpers/logger'
import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
import { Hooks } from '../../../lib/plugins/hooks'
import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
import {
  areValidationErrors,
  checkCanSeeVideoIfPrivate,
  doesVideoCommentExist,
  doesVideoCommentThreadExist,
  doesVideoExist,
  isValidVideoIdParam
} from '../shared'

const listVideoCommentsValidator = [
  query('isLocal')
  .optional()
  .customSanitizer(toBooleanOrNull)
  .custom(isBooleanValid)
  .withMessage('Should have a valid is local boolean'),

  query('search')
    .optional()
    .custom(exists).withMessage('Should have a valid search'),

  query('searchAccount')
    .optional()
    .custom(exists).withMessage('Should have a valid account search'),

  query('searchVideo')
    .optional()
    .custom(exists).withMessage('Should have a valid video search'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking listVideoCommentsValidator parameters.', { parameters: req.query })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const listVideoCommentThreadsValidator = [
  isValidVideoIdParam('videoId'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking listVideoCommentThreads parameters.', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return

    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
        message: 'Cannot list comments of private/internal/blocklisted video'
      })
    }

    return next()
  }
]

const listVideoThreadCommentsValidator = [
  isValidVideoIdParam('videoId'),

  param('threadId')
    .custom(isIdValid).not().isEmpty().withMessage('Should have a valid threadId'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking listVideoThreadComments parameters.', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
    if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return

    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
        message: 'Cannot list threads of private/internal/blocklisted video'
      })
    }

    return next()
  }
]

const addVideoCommentThreadValidator = [
  isValidVideoIdParam('videoId'),

  body('text')
    .custom(isValidVideoCommentText).not().isEmpty().withMessage('Should have a valid comment text'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking addVideoCommentThread parameters.', { parameters: req.params, body: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res)) return

    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
        message: 'Cannot access to this ressource'
      })
    }

    if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
    if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return

    return next()
  }
]

const addVideoCommentReplyValidator = [
  isValidVideoIdParam('videoId'),

  param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'),

  body('text').custom(isValidVideoCommentText).not().isEmpty().withMessage('Should have a valid comment text'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking addVideoCommentReply parameters.', { parameters: req.params, body: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res)) return

    if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
        message: 'Cannot access to this ressource'
      })
    }

    if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
    if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
    if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return

    return next()
  }
]

const videoCommentGetValidator = [
  isValidVideoIdParam('videoId'),

  param('commentId')
    .custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videoCommentGetValidator parameters.', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res, 'id')) return
    if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoId, res)) return

    return next()
  }
]

const removeVideoCommentValidator = [
  isValidVideoIdParam('videoId'),

  param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking removeVideoCommentValidator parameters.', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res)) return
    if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return

    // Check if the user who did the request is able to delete the video
    if (!checkUserCanDeleteVideoComment(res.locals.oauth.token.User, res.locals.videoCommentFull, res)) return

    return next()
  }
]

// ---------------------------------------------------------------------------

export {
  listVideoCommentThreadsValidator,
  listVideoThreadCommentsValidator,
  addVideoCommentThreadValidator,
  listVideoCommentsValidator,
  addVideoCommentReplyValidator,
  videoCommentGetValidator,
  removeVideoCommentValidator
}

// ---------------------------------------------------------------------------

function isVideoCommentsEnabled (video: MVideo, res: express.Response) {
  if (video.commentsEnabled !== true) {
    res.fail({
      status: HttpStatusCode.CONFLICT_409,
      message: 'Video comments are disabled for this video.'
    })
    return false
  }

  return true
}

function checkUserCanDeleteVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) {
  if (videoComment.isDeleted()) {
    res.fail({
      status: HttpStatusCode.CONFLICT_409,
      message: 'This comment is already deleted'
    })
    return false
  }

  const userAccount = user.Account

  if (
    user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && // Not a moderator
    videoComment.accountId !== userAccount.id && // Not the comment owner
    videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner
  ) {
    res.fail({
      status: HttpStatusCode.FORBIDDEN_403,
      message: 'Cannot remove video comment of another user'
    })
    return false
  }

  return true
}

async function isVideoCommentAccepted (req: express.Request, res: express.Response, video: MVideoFullLight, isReply: boolean) {
  const acceptParameters = {
    video,
    commentBody: req.body,
    user: res.locals.oauth.token.User
  }

  let acceptedResult: AcceptResult

  if (isReply) {
    const acceptReplyParameters = Object.assign(acceptParameters, { parentComment: res.locals.videoCommentFull })

    acceptedResult = await Hooks.wrapFun(
      isLocalVideoCommentReplyAccepted,
      acceptReplyParameters,
      'filter:api.video-comment-reply.create.accept.result'
    )
  } else {
    acceptedResult = await Hooks.wrapFun(
      isLocalVideoThreadAccepted,
      acceptParameters,
      'filter:api.video-thread.create.accept.result'
    )
  }

  if (!acceptedResult || acceptedResult.accepted !== true) {
    logger.info('Refused local comment.', { acceptedResult, acceptParameters })

    res.fail({
      status: HttpStatusCode.FORBIDDEN_403,
      message: acceptedResult?.errorMessage || 'Refused local comment'
    })
    return false
  }

  return true
}
Commit	Line	Data
41fb13c3	1	import express from 'express'
0f8d00e3	2	import { body, param, query } from 'express-validator'
26d6bf65	3	import { MUserAccountUrl } from '@server/types/models'
d17c7b4e	4	import { HttpStatusCode, UserRight } from '@shared/models'
d4a8e7a6	5	import { exists, isBooleanValid, isIdValid, toBooleanOrNull } from '../../../helpers/custom-validators/misc'
10363c74	6	import { isValidVideoCommentText } from '../../../helpers/custom-validators/video-comments'
6e46de09	7	import { logger } from '../../../helpers/logger'
ceba0e65 C	8	import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
ceba0e65 C	9	import { Hooks } from '../../../lib/plugins/hooks'
57f6896f	10	import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
84c8d986 C	11	import {
	12	areValidationErrors,
	13	checkCanSeeVideoIfPrivate,
	14	doesVideoCommentExist,
	15	doesVideoCommentThreadExist,
	16	doesVideoExist,
	17	isValidVideoIdParam
	18	} from '../shared'
bf1f6508	19
0f8d00e3 C	20	const listVideoCommentsValidator = [
	21	query('isLocal')
	22	.optional()
f1273314	23	.customSanitizer(toBooleanOrNull)
0f8d00e3 C	24	.custom(isBooleanValid)
	25	.withMessage('Should have a valid is local boolean'),
	26
	27	query('search')
	28	.optional()
	29	.custom(exists).withMessage('Should have a valid search'),
	30
	31	query('searchAccount')
	32	.optional()
	33	.custom(exists).withMessage('Should have a valid account search'),
	34
	35	query('searchVideo')
	36	.optional()
	37	.custom(exists).withMessage('Should have a valid video search'),
	38
	39	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	40	logger.debug('Checking listVideoCommentsValidator parameters.', { parameters: req.query })
	41
	42	if (areValidationErrors(req, res)) return
	43
	44	return next()
	45	}
	46	]
	47
bf1f6508	48	const listVideoCommentThreadsValidator = [
d4a8e7a6	49	isValidVideoIdParam('videoId'),
bf1f6508 C	50
bf1f6508 C	51	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
d3ea8975	52	logger.debug('Checking listVideoCommentThreads parameters.', { parameters: req.params })
bf1f6508 C	53
bf1f6508 C	54	if (areValidationErrors(req, res)) return
0f6acda1	55	if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
bf1f6508	56
84c8d986 C	57	if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
	58	return res.fail({
	59	status: HttpStatusCode.FORBIDDEN_403,
	60	message: 'Cannot list comments of private/internal/blocklisted video'
	61	})
	62	}
	63
bf1f6508 C	64	return next()
	65	}
	66	]
	67
	68	const listVideoThreadCommentsValidator = [
d4a8e7a6 C	69	isValidVideoIdParam('videoId'),
	70
	71	param('threadId')
	72	.custom(isIdValid).not().isEmpty().withMessage('Should have a valid threadId'),
bf1f6508 C	73
bf1f6508 C	74	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
d3ea8975	75	logger.debug('Checking listVideoThreadComments parameters.', { parameters: req.params })
bf1f6508 C	76
bf1f6508 C	77	if (areValidationErrors(req, res)) return
0f6acda1	78	if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
453e83ea	79	if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return
bf1f6508	80
84c8d986 C	81	if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
	82	return res.fail({
	83	status: HttpStatusCode.FORBIDDEN_403,
	84	message: 'Cannot list threads of private/internal/blocklisted video'
	85	})
	86	}
	87
bf1f6508 C	88	return next()
	89	}
	90	]
	91
	92	const addVideoCommentThreadValidator = [
d4a8e7a6 C	93	isValidVideoIdParam('videoId'),
	94
	95	body('text')
	96	.custom(isValidVideoCommentText).not().isEmpty().withMessage('Should have a valid comment text'),
bf1f6508 C	97
bf1f6508 C	98	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
5de8a55a	99	logger.debug('Checking addVideoCommentThread parameters.', { parameters: req.params, body: req.body })
bf1f6508 C	100
bf1f6508 C	101	if (areValidationErrors(req, res)) return
0f6acda1	102	if (!await doesVideoExist(req.params.videoId, res)) return
6ea9295b C	103
	104	if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
	105	return res.fail({
	106	status: HttpStatusCode.FORBIDDEN_403,
	107	message: 'Cannot access to this ressource'
	108	})
	109	}
	110
453e83ea	111	if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
a1587156	112	if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
bf1f6508 C	113
	114	return next()
	115	}
	116	]
	117
	118	const addVideoCommentReplyValidator = [
d4a8e7a6 C	119	isValidVideoIdParam('videoId'),
d4a8e7a6 C	120
bf1f6508	121	param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'),
d4a8e7a6	122
bf1f6508 C	123	body('text').custom(isValidVideoCommentText).not().isEmpty().withMessage('Should have a valid comment text'),
	124
	125	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
5de8a55a	126	logger.debug('Checking addVideoCommentReply parameters.', { parameters: req.params, body: req.body })
bf1f6508 C	127
bf1f6508 C	128	if (areValidationErrors(req, res)) return
0f6acda1	129	if (!await doesVideoExist(req.params.videoId, res)) return
6ea9295b C	130
	131	if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
	132	return res.fail({
	133	status: HttpStatusCode.FORBIDDEN_403,
	134	message: 'Cannot access to this ressource'
	135	})
	136	}
	137
453e83ea C	138	if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
	139	if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
	140	if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
bf1f6508 C	141
	142	return next()
	143	}
	144	]
	145
da854ddd	146	const videoCommentGetValidator = [
d4a8e7a6 C	147	isValidVideoIdParam('videoId'),
	148
	149	param('commentId')
	150	.custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'),
da854ddd C	151
	152	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	153	logger.debug('Checking videoCommentGetValidator parameters.', { parameters: req.params })
	154
	155	if (areValidationErrors(req, res)) return
0f6acda1	156	if (!await doesVideoExist(req.params.videoId, res, 'id')) return
453e83ea	157	if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoId, res)) return
da854ddd C	158
	159	return next()
	160	}
	161	]
	162
4cb6d457	163	const removeVideoCommentValidator = [
d4a8e7a6 C	164	isValidVideoIdParam('videoId'),
d4a8e7a6 C	165
4cb6d457 C	166	param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'),
	167
	168	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	169	logger.debug('Checking removeVideoCommentValidator parameters.', { parameters: req.params })
	170
	171	if (areValidationErrors(req, res)) return
0f6acda1	172	if (!await doesVideoExist(req.params.videoId, res)) return
453e83ea	173	if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
4cb6d457 C	174
4cb6d457 C	175	// Check if the user who did the request is able to delete the video
453e83ea	176	if (!checkUserCanDeleteVideoComment(res.locals.oauth.token.User, res.locals.videoCommentFull, res)) return
4cb6d457 C	177
	178	return next()
	179	}
	180	]
	181
bf1f6508 C	182	// ---------------------------------------------------------------------------
	183
	184	export {
	185	listVideoCommentThreadsValidator,
	186	listVideoThreadCommentsValidator,
	187	addVideoCommentThreadValidator,
0f8d00e3	188	listVideoCommentsValidator,
da854ddd	189	addVideoCommentReplyValidator,
4cb6d457 C	190	videoCommentGetValidator,
4cb6d457 C	191	removeVideoCommentValidator
bf1f6508 C	192	}
	193
	194	// ---------------------------------------------------------------------------
	195
453e83ea	196	function isVideoCommentsEnabled (video: MVideo, res: express.Response) {
47564bbe	197	if (video.commentsEnabled !== true) {
76148b27 RK	198	res.fail({
	199	status: HttpStatusCode.CONFLICT_409,
	200	message: 'Video comments are disabled for this video.'
	201	})
47564bbe C	202	return false
	203	}
	204
	205	return true
	206	}
4cb6d457	207
fde37dc9	208	function checkUserCanDeleteVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) {
c883db6d	209	if (videoComment.isDeleted()) {
76148b27 RK	210	res.fail({
	211	status: HttpStatusCode.CONFLICT_409,
	212	message: 'This comment is already deleted'
	213	})
c883db6d C	214	return false
	215	}
	216
fde37dc9 C	217	const userAccount = user.Account
	218
	219	if (
	220	user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && // Not a moderator
	221	videoComment.accountId !== userAccount.id && // Not the comment owner
	222	videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner
	223	) {
76148b27 RK	224	res.fail({
	225	status: HttpStatusCode.FORBIDDEN_403,
	226	message: 'Cannot remove video comment of another user'
	227	})
4cb6d457 C	228	return false
	229	}
	230
	231	return true
	232	}
b4055e1c	233
453e83ea	234	async function isVideoCommentAccepted (req: express.Request, res: express.Response, video: MVideoFullLight, isReply: boolean) {
b4055e1c	235	const acceptParameters = {
453e83ea	236	video,
b4055e1c C	237	commentBody: req.body,
	238	user: res.locals.oauth.token.User
	239	}
	240
	241	let acceptedResult: AcceptResult
	242
	243	if (isReply) {
453e83ea	244	const acceptReplyParameters = Object.assign(acceptParameters, { parentComment: res.locals.videoCommentFull })
b4055e1c	245
6691c522 C	246	acceptedResult = await Hooks.wrapFun(
	247	isLocalVideoCommentReplyAccepted,
	248	acceptReplyParameters,
b4055e1c C	249	'filter:api.video-comment-reply.create.accept.result'
	250	)
	251	} else {
6691c522 C	252	acceptedResult = await Hooks.wrapFun(
	253	isLocalVideoThreadAccepted,
	254	acceptParameters,
b4055e1c C	255	'filter:api.video-thread.create.accept.result'
	256	)
	257	}
	258
	259	if (!acceptedResult \|\| acceptedResult.accepted !== true) {
	260	logger.info('Refused local comment.', { acceptedResult, acceptParameters })
b4055e1c	261
76148b27 RK	262	res.fail({
	263	status: HttpStatusCode.FORBIDDEN_403,
	264	message: acceptedResult?.errorMessage \|\| 'Refused local comment'
	265	})
b4055e1c C	266	return false
	267	}
	268
	269	return true
	270	}