[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / videos / videos.ts

import * as express from 'express'
import 'express-validator'
import { body, param, query, ValidationChain } from 'express-validator/check'
import { UserRight, VideoChangeOwnershipStatus, VideoPrivacy } from '../../../../shared'
import {
  isBooleanValid,
  isDateValid,
  isIdOrUUIDValid,
  isIdValid,
  isUUIDValid,
  toArray,
  toIntOrNull,
  toValueOrNull
} from '../../../helpers/custom-validators/misc'
import {
  checkUserCanManageVideo,
  isScheduleVideoUpdatePrivacyValid,
  isVideoCategoryValid,
  isVideoChannelOfAccountExist,
  isVideoDescriptionValid,
  isVideoExist,
  isVideoFile,
  isVideoFilterValid,
  isVideoImage,
  isVideoLanguageValid,
  isVideoLicenceValid,
  isVideoNameValid,
  isVideoPrivacyValid,
  isVideoSupportValid,
  isVideoTagsValid
} from '../../../helpers/custom-validators/videos'
import { getDurationFromVideoFile } from '../../../helpers/ffmpeg-utils'
import { logger } from '../../../helpers/logger'
import { CONFIG, CONSTRAINTS_FIELDS } from '../../../initializers'
import { authenticatePromiseIfNeeded } from '../../oauth'
import { areValidationErrors } from '../utils'
import { cleanUpReqFiles } from '../../../helpers/express-utils'
import { VideoModel } from '../../../models/video/video'
import { UserModel } from '../../../models/account/user'
import { checkUserCanTerminateOwnershipChange, doesChangeVideoOwnershipExist } from '../../../helpers/custom-validators/video-ownership'
import { VideoChangeOwnershipAccept } from '../../../../shared/models/videos/video-change-ownership-accept.model'
import { VideoChangeOwnershipModel } from '../../../models/video/video-change-ownership'
import { AccountModel } from '../../../models/account/account'
import { VideoFetchType } from '../../../helpers/video'
import { isNSFWQueryValid, isNumberArray, isStringArray } from '../../../helpers/custom-validators/search'
import { getServerActor } from '../../../helpers/utils'

const videosAddValidator = getCommonVideoAttributes().concat([
  body('videofile')
    .custom((value, { req }) => isVideoFile(req.files)).withMessage(
      'This file is not supported or too large. Please, make sure it is of the following type: '
      + CONSTRAINTS_FIELDS.VIDEOS.EXTNAME.join(', ')
    ),
  body('name').custom(isVideoNameValid).withMessage('Should have a valid name'),
  body('channelId')
    .toInt()
    .custom(isIdValid).withMessage('Should have correct video channel id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videosAdd parameters', { parameters: req.body, files: req.files })

    if (areValidationErrors(req, res)) return cleanUpReqFiles(req)
    if (areErrorsInScheduleUpdate(req, res)) return cleanUpReqFiles(req)

    const videoFile: Express.Multer.File = req.files['videofile'][0]
    const user = res.locals.oauth.token.User

    if (!await isVideoChannelOfAccountExist(req.body.channelId, user, res)) return cleanUpReqFiles(req)

    const isAble = await user.isAbleToUploadVideo(videoFile)
    if (isAble === false) {
      res.status(403)
         .json({ error: 'The user video quota is exceeded with this video.' })

      return cleanUpReqFiles(req)
    }

    let duration: number

    try {
      duration = await getDurationFromVideoFile(videoFile.path)
    } catch (err) {
      logger.error('Invalid input file in videosAddValidator.', { err })
      res.status(400)
         .json({ error: 'Invalid input file.' })

      return cleanUpReqFiles(req)
    }

    videoFile['duration'] = duration

    return next()
  }
])

const videosUpdateValidator = getCommonVideoAttributes().concat([
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
  body('name')
    .optional()
    .custom(isVideoNameValid).withMessage('Should have a valid name'),
  body('channelId')
    .optional()
    .toInt()
    .custom(isIdValid).withMessage('Should have correct video channel id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videosUpdate parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return cleanUpReqFiles(req)
    if (areErrorsInScheduleUpdate(req, res)) return cleanUpReqFiles(req)
    if (!await isVideoExist(req.params.id, res)) return cleanUpReqFiles(req)

    const video = res.locals.video

    // Check if the user who did the request is able to update the video
    const user = res.locals.oauth.token.User
    if (!checkUserCanManageVideo(user, res.locals.video, UserRight.UPDATE_ANY_VIDEO, res)) return cleanUpReqFiles(req)

    if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) {
      cleanUpReqFiles(req)
      return res.status(409)
        .json({ error: 'Cannot set "private" a video that was not private.' })
    }

    if (req.body.channelId && !await isVideoChannelOfAccountExist(req.body.channelId, user, res)) return cleanUpReqFiles(req)

    return next()
  }
])

async function checkVideoFollowConstraints (req: express.Request, res: express.Response, next: express.NextFunction) {
  const video: VideoModel = res.locals.video

  // Anybody can watch local videos
  if (video.isOwned() === true) return next()

  // Logged user
  if (res.locals.oauth) {
    // Users can search or watch remote videos
    if (CONFIG.SEARCH.REMOTE_URI.USERS === true) return next()
  }

  // Anybody can search or watch remote videos
  if (CONFIG.SEARCH.REMOTE_URI.ANONYMOUS === true) return next()

  // Check our instance follows an actor that shared this video
  const serverActor = await getServerActor()
  if (await VideoModel.checkVideoHasInstanceFollow(video.id, serverActor.id) === true) return next()

  return res.status(403)
            .json({
              error: 'Cannot get this video regarding follow constraints.'
            })
}

const videosCustomGetValidator = (fetchType: VideoFetchType) => {
  return [
    param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),

    async (req: express.Request, res: express.Response, next: express.NextFunction) => {
      logger.debug('Checking videosGet parameters', { parameters: req.params })

      if (areValidationErrors(req, res)) return
      if (!await isVideoExist(req.params.id, res, fetchType)) return

      const video: VideoModel = res.locals.video

      // Video private or blacklisted
      if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) {
        await authenticatePromiseIfNeeded(req, res)

        const user: UserModel = res.locals.oauth ? res.locals.oauth.token.User : null

        // Only the owner or a user that have blacklist rights can see the video
        if (
          !user ||
          (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST))
        ) {
          return res.status(403)
                    .json({ error: 'Cannot get this private or blacklisted video.' })
        }

        return next()
      }

      // Video is public, anyone can access it
      if (video.privacy === VideoPrivacy.PUBLIC) return next()

      // Video is unlisted, check we used the uuid to fetch it
      if (video.privacy === VideoPrivacy.UNLISTED) {
        if (isUUIDValid(req.params.id)) return next()

        // Don't leak this unlisted video
        return res.status(404).end()
      }
    }
  ]
}

const videosGetValidator = videosCustomGetValidator('all')

const videosRemoveValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videosRemove parameters', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await isVideoExist(req.params.id, res)) return

    // Check if the user who did the request is able to delete the video
    if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.REMOVE_ANY_VIDEO, res)) return

    return next()
  }
]

const videosChangeOwnershipValidator = [
  param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking changeOwnership parameters', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await isVideoExist(req.params.videoId, res)) return

    // Check if the user who did the request is able to change the ownership of the video
    if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.CHANGE_VIDEO_OWNERSHIP, res)) return

    const nextOwner = await AccountModel.loadLocalByName(req.body.username)
    if (!nextOwner) {
      res.status(400)
        .json({ error: 'Changing video ownership to a remote account is not supported yet' })

      return
    }
    res.locals.nextOwner = nextOwner

    return next()
  }
]

const videosTerminateChangeOwnershipValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking changeOwnership parameters', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await doesChangeVideoOwnershipExist(req.params.id, res)) return

    // Check if the user who did the request is able to change the ownership of the video
    if (!checkUserCanTerminateOwnershipChange(res.locals.oauth.token.User, res.locals.videoChangeOwnership, res)) return

    return next()
  },
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    const videoChangeOwnership = res.locals.videoChangeOwnership as VideoChangeOwnershipModel

    if (videoChangeOwnership.status === VideoChangeOwnershipStatus.WAITING) {
      return next()
    } else {
      res.status(403)
        .json({ error: 'Ownership already accepted or refused' })

      return
    }
  }
]

const videosAcceptChangeOwnershipValidator = [
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    const body = req.body as VideoChangeOwnershipAccept
    if (!await isVideoChannelOfAccountExist(body.channelId, res.locals.oauth.token.User, res)) return

    const user = res.locals.oauth.token.User
    const videoChangeOwnership = res.locals.videoChangeOwnership as VideoChangeOwnershipModel
    const isAble = await user.isAbleToUploadVideo(videoChangeOwnership.Video.getOriginalFile())
    if (isAble === false) {
      res.status(403)
        .json({ error: 'The user video quota is exceeded with this video.' })

      return
    }

    return next()
  }
]

function getCommonVideoAttributes () {
  return [
    body('thumbnailfile')
      .custom((value, { req }) => isVideoImage(req.files, 'thumbnailfile')).withMessage(
      'This thumbnail file is not supported or too large. Please, make sure it is of the following type: '
      + CONSTRAINTS_FIELDS.VIDEOS.IMAGE.EXTNAME.join(', ')
    ),
    body('previewfile')
      .custom((value, { req }) => isVideoImage(req.files, 'previewfile')).withMessage(
      'This preview file is not supported or too large. Please, make sure it is of the following type: '
      + CONSTRAINTS_FIELDS.VIDEOS.IMAGE.EXTNAME.join(', ')
    ),

    body('category')
      .optional()
      .customSanitizer(toIntOrNull)
      .custom(isVideoCategoryValid).withMessage('Should have a valid category'),
    body('licence')
      .optional()
      .customSanitizer(toIntOrNull)
      .custom(isVideoLicenceValid).withMessage('Should have a valid licence'),
    body('language')
      .optional()
      .customSanitizer(toValueOrNull)
      .custom(isVideoLanguageValid).withMessage('Should have a valid language'),
    body('nsfw')
      .optional()
      .toBoolean()
      .custom(isBooleanValid).withMessage('Should have a valid NSFW attribute'),
    body('waitTranscoding')
      .optional()
      .toBoolean()
      .custom(isBooleanValid).withMessage('Should have a valid wait transcoding attribute'),
    body('privacy')
      .optional()
      .toInt()
      .custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'),
    body('description')
      .optional()
      .customSanitizer(toValueOrNull)
      .custom(isVideoDescriptionValid).withMessage('Should have a valid description'),
    body('support')
      .optional()
      .customSanitizer(toValueOrNull)
      .custom(isVideoSupportValid).withMessage('Should have a valid support text'),
    body('tags')
      .optional()
      .customSanitizer(toValueOrNull)
      .custom(isVideoTagsValid).withMessage('Should have correct tags'),
    body('commentsEnabled')
      .optional()
      .toBoolean()
      .custom(isBooleanValid).withMessage('Should have comments enabled boolean'),

    body('scheduleUpdate')
      .optional()
      .customSanitizer(toValueOrNull),
    body('scheduleUpdate.updateAt')
      .optional()
      .custom(isDateValid).withMessage('Should have a valid schedule update date'),
    body('scheduleUpdate.privacy')
      .optional()
      .toInt()
      .custom(isScheduleVideoUpdatePrivacyValid).withMessage('Should have correct schedule update privacy')
  ] as (ValidationChain | express.Handler)[]
}

const commonVideosFiltersValidator = [
  query('categoryOneOf')
    .optional()
    .customSanitizer(toArray)
    .custom(isNumberArray).withMessage('Should have a valid one of category array'),
  query('licenceOneOf')
    .optional()
    .customSanitizer(toArray)
    .custom(isNumberArray).withMessage('Should have a valid one of licence array'),
  query('languageOneOf')
    .optional()
    .customSanitizer(toArray)
    .custom(isStringArray).withMessage('Should have a valid one of language array'),
  query('tagsOneOf')
    .optional()
    .customSanitizer(toArray)
    .custom(isStringArray).withMessage('Should have a valid one of tags array'),
  query('tagsAllOf')
    .optional()
    .customSanitizer(toArray)
    .custom(isStringArray).withMessage('Should have a valid all of tags array'),
  query('nsfw')
    .optional()
    .custom(isNSFWQueryValid).withMessage('Should have a valid NSFW attribute'),
  query('filter')
    .optional()
    .custom(isVideoFilterValid).withMessage('Should have a valid filter attribute'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking commons video filters query', { parameters: req.query })

    if (areValidationErrors(req, res)) return

    const user: UserModel = res.locals.oauth ? res.locals.oauth.token.User : undefined
    if (req.query.filter === 'all-local' && (!user || user.hasRight(UserRight.SEE_ALL_VIDEOS) === false)) {
      res.status(401)
         .json({ error: 'You are not allowed to see all local videos.' })

      return
    }

    return next()
  }
]

// ---------------------------------------------------------------------------

export {
  videosAddValidator,
  videosUpdateValidator,
  videosGetValidator,
  checkVideoFollowConstraints,
  videosCustomGetValidator,
  videosRemoveValidator,

  videosChangeOwnershipValidator,
  videosTerminateChangeOwnershipValidator,
  videosAcceptChangeOwnershipValidator,

  getCommonVideoAttributes,

  commonVideosFiltersValidator
}

// ---------------------------------------------------------------------------

function areErrorsInScheduleUpdate (req: express.Request, res: express.Response) {
  if (req.body.scheduleUpdate) {
    if (!req.body.scheduleUpdate.updateAt) {
      logger.warn('Invalid parameters: scheduleUpdate.updateAt is mandatory.')

      res.status(400)
         .json({ error: 'Schedule update at is mandatory.' })

      return true
    }
  }

  return false
}
Commit	Line	Data
69818c93	1	import * as express from 'express'
3fd3ab2d	2	import 'express-validator'
1cd3facc	3	import { body, param, query, ValidationChain } from 'express-validator/check'
6e46de09	4	import { UserRight, VideoChangeOwnershipStatus, VideoPrivacy } from '../../../../shared'
b60e5f38	5	import {
2baea0c7 C	6	isBooleanValid,
	7	isDateValid,
	8	isIdOrUUIDValid,
	9	isIdValid,
	10	isUUIDValid,
1cd3facc	11	toArray,
2baea0c7 C	12	toIntOrNull,
2baea0c7 C	13	toValueOrNull
6e46de09	14	} from '../../../helpers/custom-validators/misc'
2baea0c7	15	import {
40e87e9e	16	checkUserCanManageVideo,
2baea0c7	17	isScheduleVideoUpdatePrivacyValid,
ac81d1a0	18	isVideoCategoryValid,
0f320037	19	isVideoChannelOfAccountExist,
ac81d1a0 C	20	isVideoDescriptionValid,
	21	isVideoExist,
	22	isVideoFile,
1cd3facc	23	isVideoFilterValid,
ac81d1a0 C	24	isVideoImage,
	25	isVideoLanguageValid,
	26	isVideoLicenceValid,
	27	isVideoNameValid,
	28	isVideoPrivacyValid,
360329cc	29	isVideoSupportValid,
4157cdb1	30	isVideoTagsValid
6e46de09 C	31	} from '../../../helpers/custom-validators/videos'
	32	import { getDurationFromVideoFile } from '../../../helpers/ffmpeg-utils'
	33	import { logger } from '../../../helpers/logger'
8d427346 C	34	import { CONFIG, CONSTRAINTS_FIELDS } from '../../../initializers'
8d427346 C	35	import { authenticatePromiseIfNeeded } from '../../oauth'
6e46de09 C	36	import { areValidationErrors } from '../utils'
	37	import { cleanUpReqFiles } from '../../../helpers/express-utils'
	38	import { VideoModel } from '../../../models/video/video'
	39	import { UserModel } from '../../../models/account/user'
	40	import { checkUserCanTerminateOwnershipChange, doesChangeVideoOwnershipExist } from '../../../helpers/custom-validators/video-ownership'
	41	import { VideoChangeOwnershipAccept } from '../../../../shared/models/videos/video-change-ownership-accept.model'
	42	import { VideoChangeOwnershipModel } from '../../../models/video/video-change-ownership'
	43	import { AccountModel } from '../../../models/account/account'
	44	import { VideoFetchType } from '../../../helpers/video'
1cd3facc	45	import { isNSFWQueryValid, isNumberArray, isStringArray } from '../../../helpers/custom-validators/search'
8d427346	46	import { getServerActor } from '../../../helpers/utils'
34ca3b52	47
a920fef1	48	const videosAddValidator = getCommonVideoAttributes().concat([
0c237b19 C	49	body('videofile')
0c237b19 C	50	.custom((value, { req }) => isVideoFile(req.files)).withMessage(
40e87e9e	51	'This file is not supported or too large. Please, make sure it is of the following type: '
0c237b19 C	52	+ CONSTRAINTS_FIELDS.VIDEOS.EXTNAME.join(', ')
0c237b19 C	53	),
b60e5f38	54	body('name').custom(isVideoNameValid).withMessage('Should have a valid name'),
0f320037 C	55	body('channelId')
0f320037 C	56	.toInt()
2baea0c7	57	.custom(isIdValid).withMessage('Should have correct video channel id'),
b60e5f38	58
a2431b7d	59	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
b60e5f38 C	60	logger.debug('Checking videosAdd parameters', { parameters: req.body, files: req.files })
b60e5f38 C	61
cf7a61b5 C	62	if (areValidationErrors(req, res)) return cleanUpReqFiles(req)
cf7a61b5 C	63	if (areErrorsInScheduleUpdate(req, res)) return cleanUpReqFiles(req)
a2431b7d C	64
	65	const videoFile: Express.Multer.File = req.files['videofile'][0]
	66	const user = res.locals.oauth.token.User
b60e5f38	67
cf7a61b5	68	if (!await isVideoChannelOfAccountExist(req.body.channelId, user, res)) return cleanUpReqFiles(req)
a2431b7d C	69
	70	const isAble = await user.isAbleToUploadVideo(videoFile)
	71	if (isAble === false) {
	72	res.status(403)
	73	.json({ error: 'The user video quota is exceeded with this video.' })
a2431b7d	74
cf7a61b5	75	return cleanUpReqFiles(req)
a2431b7d C	76	}
	77
	78	let duration: number
	79
	80	try {
	81	duration = await getDurationFromVideoFile(videoFile.path)
	82	} catch (err) {
d5b7d911	83	logger.error('Invalid input file in videosAddValidator.', { err })
a2431b7d C	84	res.status(400)
a2431b7d C	85	.json({ error: 'Invalid input file.' })
a2431b7d	86
cf7a61b5	87	return cleanUpReqFiles(req)
a2431b7d C	88	}
a2431b7d C	89
a2431b7d C	90	videoFile['duration'] = duration
	91
	92	return next()
b60e5f38	93	}
a920fef1	94	])
b60e5f38	95
a920fef1	96	const videosUpdateValidator = getCommonVideoAttributes().concat([
72c7248b	97	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
360329cc C	98	body('name')
	99	.optional()
	100	.custom(isVideoNameValid).withMessage('Should have a valid name'),
0f320037 C	101	body('channelId')
	102	.optional()
	103	.toInt()
	104	.custom(isIdValid).withMessage('Should have correct video channel id'),
b60e5f38	105
a2431b7d	106	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
b60e5f38 C	107	logger.debug('Checking videosUpdate parameters', { parameters: req.body })
b60e5f38 C	108
cf7a61b5 C	109	if (areValidationErrors(req, res)) return cleanUpReqFiles(req)
	110	if (areErrorsInScheduleUpdate(req, res)) return cleanUpReqFiles(req)
	111	if (!await isVideoExist(req.params.id, res)) return cleanUpReqFiles(req)
a2431b7d C	112
	113	const video = res.locals.video
	114
6221f311	115	// Check if the user who did the request is able to update the video
0f320037	116	const user = res.locals.oauth.token.User
cf7a61b5	117	if (!checkUserCanManageVideo(user, res.locals.video, UserRight.UPDATE_ANY_VIDEO, res)) return cleanUpReqFiles(req)
a2431b7d C	118
a2431b7d C	119	if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) {
cf7a61b5	120	cleanUpReqFiles(req)
a2431b7d	121	return res.status(409)
bbe0f064	122	.json({ error: 'Cannot set "private" a video that was not private.' })
a2431b7d C	123	}
a2431b7d C	124
cf7a61b5	125	if (req.body.channelId && !await isVideoChannelOfAccountExist(req.body.channelId, user, res)) return cleanUpReqFiles(req)
0f320037	126
a2431b7d	127	return next()
b60e5f38	128	}
a920fef1	129	])
c173e565	130
8d427346 C	131	async function checkVideoFollowConstraints (req: express.Request, res: express.Response, next: express.NextFunction) {
	132	const video: VideoModel = res.locals.video
	133
	134	// Anybody can watch local videos
	135	if (video.isOwned() === true) return next()
	136
	137	// Logged user
	138	if (res.locals.oauth) {
	139	// Users can search or watch remote videos
	140	if (CONFIG.SEARCH.REMOTE_URI.USERS === true) return next()
	141	}
	142
	143	// Anybody can search or watch remote videos
	144	if (CONFIG.SEARCH.REMOTE_URI.ANONYMOUS === true) return next()
	145
	146	// Check our instance follows an actor that shared this video
	147	const serverActor = await getServerActor()
	148	if (await VideoModel.checkVideoHasInstanceFollow(video.id, serverActor.id) === true) return next()
	149
	150	return res.status(403)
	151	.json({
	152	error: 'Cannot get this video regarding follow constraints.'
	153	})
	154	}
	155
96f29c0f C	156	const videosCustomGetValidator = (fetchType: VideoFetchType) => {
	157	return [
	158	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
7b1f49de	159
96f29c0f C	160	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
96f29c0f C	161	logger.debug('Checking videosGet parameters', { parameters: req.params })
11474c3c	162
96f29c0f C	163	if (areValidationErrors(req, res)) return
96f29c0f C	164	if (!await isVideoExist(req.params.id, res, fetchType)) return
191764f3	165
96f29c0f	166	const video: VideoModel = res.locals.video
191764f3	167
96f29c0f C	168	// Video private or blacklisted
96f29c0f C	169	if (video.privacy === VideoPrivacy.PRIVATE \|\| video.VideoBlacklist) {
8d427346 C	170	await authenticatePromiseIfNeeded(req, res)
	171
	172	const user: UserModel = res.locals.oauth ? res.locals.oauth.token.User : null
191764f3	173
8d427346 C	174	// Only the owner or a user that have blacklist rights can see the video
	175	if (
	176	!user \|\|
	177	(video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST))
	178	) {
	179	return res.status(403)
	180	.json({ error: 'Cannot get this private or blacklisted video.' })
	181	}
191764f3	182
8d427346	183	return next()
96f29c0f	184	}
11474c3c	185
96f29c0f C	186	// Video is public, anyone can access it
96f29c0f C	187	if (video.privacy === VideoPrivacy.PUBLIC) return next()
11474c3c	188
96f29c0f C	189	// Video is unlisted, check we used the uuid to fetch it
	190	if (video.privacy === VideoPrivacy.UNLISTED) {
	191	if (isUUIDValid(req.params.id)) return next()
81ebea48	192
96f29c0f C	193	// Don't leak this unlisted video
	194	return res.status(404).end()
	195	}
81ebea48	196	}
96f29c0f C	197	]
	198	}
	199
	200	const videosGetValidator = videosCustomGetValidator('all')
34ca3b52	201
b60e5f38	202	const videosRemoveValidator = [
72c7248b	203	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
34ca3b52	204
a2431b7d	205	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
b60e5f38	206	logger.debug('Checking videosRemove parameters', { parameters: req.params })
34ca3b52	207
a2431b7d C	208	if (areValidationErrors(req, res)) return
	209	if (!await isVideoExist(req.params.id, res)) return
	210
	211	// Check if the user who did the request is able to delete the video
6221f311	212	if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.REMOVE_ANY_VIDEO, res)) return
a2431b7d C	213
a2431b7d C	214	return next()
b60e5f38 C	215	}
b60e5f38 C	216	]
34ca3b52	217
74d63469 GR	218	const videosChangeOwnershipValidator = [
	219	param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
	220
	221	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	222	logger.debug('Checking changeOwnership parameters', { parameters: req.params })
	223
	224	if (areValidationErrors(req, res)) return
	225	if (!await isVideoExist(req.params.videoId, res)) return
	226
	227	// Check if the user who did the request is able to change the ownership of the video
	228	if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.CHANGE_VIDEO_OWNERSHIP, res)) return
	229
	230	const nextOwner = await AccountModel.loadLocalByName(req.body.username)
	231	if (!nextOwner) {
	232	res.status(400)
9ccff238 LD	233	.json({ error: 'Changing video ownership to a remote account is not supported yet' })
9ccff238 LD	234
74d63469 GR	235	return
	236	}
	237	res.locals.nextOwner = nextOwner
	238
	239	return next()
	240	}
	241	]
	242
	243	const videosTerminateChangeOwnershipValidator = [
	244	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
	245
	246	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	247	logger.debug('Checking changeOwnership parameters', { parameters: req.params })
	248
	249	if (areValidationErrors(req, res)) return
	250	if (!await doesChangeVideoOwnershipExist(req.params.id, res)) return
	251
	252	// Check if the user who did the request is able to change the ownership of the video
	253	if (!checkUserCanTerminateOwnershipChange(res.locals.oauth.token.User, res.locals.videoChangeOwnership, res)) return
	254
	255	return next()
	256	},
	257	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	258	const videoChangeOwnership = res.locals.videoChangeOwnership as VideoChangeOwnershipModel
	259
	260	if (videoChangeOwnership.status === VideoChangeOwnershipStatus.WAITING) {
	261	return next()
	262	} else {
	263	res.status(403)
	264	.json({ error: 'Ownership already accepted or refused' })
9ccff238	265
74d63469 GR	266	return
	267	}
	268	}
	269	]
	270
	271	const videosAcceptChangeOwnershipValidator = [
	272	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	273	const body = req.body as VideoChangeOwnershipAccept
	274	if (!await isVideoChannelOfAccountExist(body.channelId, res.locals.oauth.token.User, res)) return
	275
	276	const user = res.locals.oauth.token.User
	277	const videoChangeOwnership = res.locals.videoChangeOwnership as VideoChangeOwnershipModel
	278	const isAble = await user.isAbleToUploadVideo(videoChangeOwnership.Video.getOriginalFile())
	279	if (isAble === false) {
	280	res.status(403)
	281	.json({ error: 'The user video quota is exceeded with this video.' })
9ccff238	282
74d63469 GR	283	return
	284	}
	285
	286	return next()
	287	}
	288	]
	289
a920fef1 C	290	function getCommonVideoAttributes () {
	291	return [
	292	body('thumbnailfile')
	293	.custom((value, { req }) => isVideoImage(req.files, 'thumbnailfile')).withMessage(
	294	'This thumbnail file is not supported or too large. Please, make sure it is of the following type: '
	295	+ CONSTRAINTS_FIELDS.VIDEOS.IMAGE.EXTNAME.join(', ')
	296	),
	297	body('previewfile')
	298	.custom((value, { req }) => isVideoImage(req.files, 'previewfile')).withMessage(
	299	'This preview file is not supported or too large. Please, make sure it is of the following type: '
	300	+ CONSTRAINTS_FIELDS.VIDEOS.IMAGE.EXTNAME.join(', ')
	301	),
	302
	303	body('category')
	304	.optional()
	305	.customSanitizer(toIntOrNull)
	306	.custom(isVideoCategoryValid).withMessage('Should have a valid category'),
	307	body('licence')
	308	.optional()
	309	.customSanitizer(toIntOrNull)
	310	.custom(isVideoLicenceValid).withMessage('Should have a valid licence'),
	311	body('language')
	312	.optional()
	313	.customSanitizer(toValueOrNull)
	314	.custom(isVideoLanguageValid).withMessage('Should have a valid language'),
	315	body('nsfw')
	316	.optional()
	317	.toBoolean()
	318	.custom(isBooleanValid).withMessage('Should have a valid NSFW attribute'),
	319	body('waitTranscoding')
	320	.optional()
	321	.toBoolean()
	322	.custom(isBooleanValid).withMessage('Should have a valid wait transcoding attribute'),
	323	body('privacy')
	324	.optional()
	325	.toInt()
	326	.custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'),
	327	body('description')
	328	.optional()
	329	.customSanitizer(toValueOrNull)
	330	.custom(isVideoDescriptionValid).withMessage('Should have a valid description'),
	331	body('support')
	332	.optional()
	333	.customSanitizer(toValueOrNull)
	334	.custom(isVideoSupportValid).withMessage('Should have a valid support text'),
	335	body('tags')
	336	.optional()
	337	.customSanitizer(toValueOrNull)
	338	.custom(isVideoTagsValid).withMessage('Should have correct tags'),
	339	body('commentsEnabled')
	340	.optional()
	341	.toBoolean()
	342	.custom(isBooleanValid).withMessage('Should have comments enabled boolean'),
	343
	344	body('scheduleUpdate')
	345	.optional()
	346	.customSanitizer(toValueOrNull),
	347	body('scheduleUpdate.updateAt')
	348	.optional()
	349	.custom(isDateValid).withMessage('Should have a valid schedule update date'),
	350	body('scheduleUpdate.privacy')
	351	.optional()
	352	.toInt()
	353	.custom(isScheduleVideoUpdatePrivacyValid).withMessage('Should have correct schedule update privacy')
354	] as (ValidationChain \| express.Handler)[]
355	}
fbad87b0	356
1cd3facc C	357	const commonVideosFiltersValidator = [
	358	query('categoryOneOf')
	359	.optional()
	360	.customSanitizer(toArray)
	361	.custom(isNumberArray).withMessage('Should have a valid one of category array'),
	362	query('licenceOneOf')
	363	.optional()
	364	.customSanitizer(toArray)
	365	.custom(isNumberArray).withMessage('Should have a valid one of licence array'),
	366	query('languageOneOf')
	367	.optional()
	368	.customSanitizer(toArray)
	369	.custom(isStringArray).withMessage('Should have a valid one of language array'),
	370	query('tagsOneOf')
	371	.optional()
	372	.customSanitizer(toArray)
	373	.custom(isStringArray).withMessage('Should have a valid one of tags array'),
	374	query('tagsAllOf')
	375	.optional()
	376	.customSanitizer(toArray)
	377	.custom(isStringArray).withMessage('Should have a valid all of tags array'),
	378	query('nsfw')
	379	.optional()
	380	.custom(isNSFWQueryValid).withMessage('Should have a valid NSFW attribute'),
	381	query('filter')
	382	.optional()
	383	.custom(isVideoFilterValid).withMessage('Should have a valid filter attribute'),
	384
	385	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	386	logger.debug('Checking commons video filters query', { parameters: req.query })
	387
	388	if (areValidationErrors(req, res)) return
	389
	390	const user: UserModel = res.locals.oauth ? res.locals.oauth.token.User : undefined
	391	if (req.query.filter === 'all-local' && (!user \|\| user.hasRight(UserRight.SEE_ALL_VIDEOS) === false)) {
	392	res.status(401)
	393	.json({ error: 'You are not allowed to see all local videos.' })
	394
	395	return
	396	}
	397
	398	return next()
	399	}
	400	]
	401
fbad87b0 C	402	// ---------------------------------------------------------------------------
	403
	404	export {
	405	videosAddValidator,
	406	videosUpdateValidator,
	407	videosGetValidator,
8d427346	408	checkVideoFollowConstraints,
96f29c0f	409	videosCustomGetValidator,
fbad87b0	410	videosRemoveValidator,
fbad87b0	411
74d63469 GR	412	videosChangeOwnershipValidator,
	413	videosTerminateChangeOwnershipValidator,
	414	videosAcceptChangeOwnershipValidator,
	415
1cd3facc C	416	getCommonVideoAttributes,
	417
	418	commonVideosFiltersValidator
fbad87b0 C	419	}
	420
	421	// ---------------------------------------------------------------------------
	422
	423	function areErrorsInScheduleUpdate (req: express.Request, res: express.Response) {
	424	if (req.body.scheduleUpdate) {
	425	if (!req.body.scheduleUpdate.updateAt) {
7373507f C	426	logger.warn('Invalid parameters: scheduleUpdate.updateAt is mandatory.')
7373507f C	427
fbad87b0 C	428	res.status(400)
fbad87b0 C	429	.json({ error: 'Schedule update at is mandatory.' })
fbad87b0 C	430
	431	return true
	432	}
	433	}
	434
	435	return false
	436	}