[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / videos.ts

import * as express from 'express'
import { body, param, query } from 'express-validator/check'
import { UserRight, VideoPrivacy } from '../../../shared'
import { isIdOrUUIDValid, isIdValid } from '../../helpers/custom-validators/misc'
import {
  checkVideoExists,
  isVideoAbuseReasonValid,
  isVideoCategoryValid,
  isVideoDescriptionValid,
  isVideoDurationValid,
  isVideoFile,
  isVideoLanguageValid,
  isVideoLicenceValid,
  isVideoNameValid,
  isVideoNSFWValid,
  isVideoPrivacyValid,
  isVideoRatingTypeValid,
  isVideoTagsValid
} from '../../helpers/custom-validators/videos'
import { getDurationFromVideoFile } from '../../helpers/ffmpeg-utils'
import { logger } from '../../helpers/logger'
import { CONSTRAINTS_FIELDS, SEARCHABLE_COLUMNS } from '../../initializers'

import { database as db } from '../../initializers/database'
import { UserInstance } from '../../models/account/user-interface'
import { authenticate } from '../oauth'
import { areValidationErrors, checkErrors } from './utils'
import { isVideoExistsPromise } from '../../helpers/index'

const videosAddValidator = [
  body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage(
    'This file is not supported. Please, make sure it is of the following type : '
    + CONSTRAINTS_FIELDS.VIDEOS.EXTNAME.join(', ')
  ),
  body('name').custom(isVideoNameValid).withMessage('Should have a valid name'),
  body('category').custom(isVideoCategoryValid).withMessage('Should have a valid category'),
  body('licence').custom(isVideoLicenceValid).withMessage('Should have a valid licence'),
  body('language').optional().custom(isVideoLanguageValid).withMessage('Should have a valid language'),
  body('nsfw').custom(isVideoNSFWValid).withMessage('Should have a valid NSFW attribute'),
  body('description').custom(isVideoDescriptionValid).withMessage('Should have a valid description'),
  body('channelId').custom(isIdValid).withMessage('Should have correct video channel id'),
  body('privacy').custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'),
  body('tags').optional().custom(isVideoTagsValid).withMessage('Should have correct tags'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videosAdd parameters', { parameters: req.body, files: req.files })

    checkErrors(req, res, () => {
      const videoFile: Express.Multer.File = req.files['videofile'][0]
      const user = res.locals.oauth.token.User

      return db.VideoChannel.loadByIdAndAccount(req.body.channelId, user.Account.id)
        .then(videoChannel => {
          if (!videoChannel) {
            res.status(400)
              .json({ error: 'Unknown video video channel for this account.' })
              .end()

            return undefined
          }

          res.locals.videoChannel = videoChannel

          return user.isAbleToUploadVideo(videoFile)
        })
        .then(isAble => {
          if (isAble === false) {
            res.status(403)
               .json({ error: 'The user video quota is exceeded with this video.' })
               .end()

            return undefined
          }

          return getDurationFromVideoFile(videoFile.path)
            .catch(err => {
              logger.error('Invalid input file in videosAddValidator.', err)
              res.status(400)
                 .json({ error: 'Invalid input file.' })
                 .end()

              return undefined
            })
        })
        .then(duration => {
          // Previous test failed, abort
          if (duration === undefined) return undefined

          if (!isVideoDurationValid('' + duration)) {
            return res.status(400)
                      .json({
                        error: 'Duration of the video file is too big (max: ' + CONSTRAINTS_FIELDS.VIDEOS.DURATION.max + 's).'
                      })
                      .end()
          }

          videoFile['duration'] = duration
          next()
        })
        .catch(err => {
          logger.error('Error in video add validator', err)
          res.sendStatus(500)

          return undefined
        })
    })
  }
]

const videosUpdateValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
  body('name').optional().custom(isVideoNameValid).withMessage('Should have a valid name'),
  body('category').optional().custom(isVideoCategoryValid).withMessage('Should have a valid category'),
  body('licence').optional().custom(isVideoLicenceValid).withMessage('Should have a valid licence'),
  body('language').optional().custom(isVideoLanguageValid).withMessage('Should have a valid language'),
  body('nsfw').optional().custom(isVideoNSFWValid).withMessage('Should have a valid NSFW attribute'),
  body('privacy').optional().custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'),
  body('description').optional().custom(isVideoDescriptionValid).withMessage('Should have a valid description'),
  body('tags').optional().custom(isVideoTagsValid).withMessage('Should have correct tags'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videosUpdate parameters', { parameters: req.body })

    checkErrors(req, res, () => {
      checkVideoExists(req.params.id, res, () => {
        const video = res.locals.video

        // We need to make additional checks
        if (video.isOwned() === false) {
          return res.status(403)
                    .json({ error: 'Cannot update video of another server' })
                    .end()
        }

        if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
          return res.status(403)
                    .json({ error: 'Cannot update video of another user' })
                    .end()
        }

        if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) {
          return res.status(409)
            .json({ error: 'Cannot set "private" a video that was not private anymore.' })
            .end()
        }

        next()
      })
    })
  }
]

const videosGetValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videosGet parameters', { parameters: req.params })

    checkErrors(req, res, () => {
      checkVideoExists(req.params.id, res, () => {
        const video = res.locals.video

        // Video is not private, anyone can access it
        if (video.privacy !== VideoPrivacy.PRIVATE) return next()

        authenticate(req, res, () => {
          if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
            return res.status(403)
              .json({ error: 'Cannot get this private video of another user' })
              .end()
          }

          next()
        })
      })
    })
  }
]

const videosRemoveValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videosRemove parameters', { parameters: req.params })

    checkErrors(req, res, () => {
      checkVideoExists(req.params.id, res, () => {
        // Check if the user who did the request is able to delete the video
        checkUserCanDeleteVideo(res.locals.oauth.token.User, res, () => {
          next()
        })
      })
    })
  }
]

const videosSearchValidator = [
  param('value').not().isEmpty().withMessage('Should have a valid search'),
  query('field').optional().isIn(SEARCHABLE_COLUMNS.VIDEOS).withMessage('Should have correct searchable column'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videosSearch parameters', { parameters: req.params })

    checkErrors(req, res, next)
  }
]

const videoAbuseReportValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
  body('reason').custom(isVideoAbuseReasonValid).withMessage('Should have a valid reason'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videoAbuseReport parameters', { parameters: req.body })

    checkErrors(req, res, () => {
      checkVideoExists(req.params.id, res, next)
    })
  }
]

const videoRateValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
  body('rating').custom(isVideoRatingTypeValid).withMessage('Should have a valid rate type'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videoRate parameters', { parameters: req.body })

    checkErrors(req, res, () => {
      checkVideoExists(req.params.id, res, next)
    })
  }
]

const videosShareValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
  param('accountId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid account id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videoShare parameters', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await isVideoExistsPromise(req.params.id, res)) return

    const share = await db.VideoShare.load(req.params.accountId, res.locals.video.id)
    if (!share) {
      return res.status(404)
        .end()
    }

    res.locals.videoShare = share

    return next()
  }
]

// ---------------------------------------------------------------------------

export {
  videosAddValidator,
  videosUpdateValidator,
  videosGetValidator,
  videosRemoveValidator,
  videosSearchValidator,
  videosShareValidator,

  videoAbuseReportValidator,

  videoRateValidator
}

// ---------------------------------------------------------------------------

function checkUserCanDeleteVideo (user: UserInstance, res: express.Response, callback: () => void) {
  // Retrieve the user who did the request
  if (res.locals.video.isOwned() === false) {
    return res.status(403)
              .json({ error: 'Cannot remove video of another server, blacklist it' })
              .end()
  }

  // Check if the user can delete the video
  // The user can delete it if s/he is an admin
  // Or if s/he is the video's account
  const account = res.locals.video.VideoChannel.Account
  if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) {
    return res.status(403)
              .json({ error: 'Cannot remove video of another user' })
              .end()
  }

  // If we reach this comment, we can delete the video
  callback()
}
Commit	Line	Data
69818c93	1	import * as express from 'express'
8d468a16 C	2	import { body, param, query } from 'express-validator/check'
	3	import { UserRight, VideoPrivacy } from '../../../shared'
	4	import { isIdOrUUIDValid, isIdValid } from '../../helpers/custom-validators/misc'
b60e5f38	5	import {
8d468a16 C	6	checkVideoExists,
8d468a16 C	7	isVideoAbuseReasonValid,
b60e5f38	8	isVideoCategoryValid,
b60e5f38	9	isVideoDescriptionValid,
8d468a16 C	10	isVideoDurationValid,
8d468a16 C	11	isVideoFile,
b60e5f38	12	isVideoLanguageValid,
8d468a16 C	13	isVideoLicenceValid,
8d468a16 C	14	isVideoNameValid,
b60e5f38	15	isVideoNSFWValid,
8d468a16	16	isVideoPrivacyValid,
14d3270f	17	isVideoRatingTypeValid,
8d468a16 C	18	isVideoTagsValid
	19	} from '../../helpers/custom-validators/videos'
	20	import { getDurationFromVideoFile } from '../../helpers/ffmpeg-utils'
	21	import { logger } from '../../helpers/logger'
	22	import { CONSTRAINTS_FIELDS, SEARCHABLE_COLUMNS } from '../../initializers'
	23
	24	import { database as db } from '../../initializers/database'
	25	import { UserInstance } from '../../models/account/user-interface'
11474c3c	26	import { authenticate } from '../oauth'
4e50b6a1 C	27	import { areValidationErrors, checkErrors } from './utils'
4e50b6a1 C	28	import { isVideoExistsPromise } from '../../helpers/index'
34ca3b52	29
b60e5f38	30	const videosAddValidator = [
8376734e	31	body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage(
10db166b C	32	'This file is not supported. Please, make sure it is of the following type : '
10db166b C	33	+ CONSTRAINTS_FIELDS.VIDEOS.EXTNAME.join(', ')
8376734e	34	),
b60e5f38 C	35	body('name').custom(isVideoNameValid).withMessage('Should have a valid name'),
	36	body('category').custom(isVideoCategoryValid).withMessage('Should have a valid category'),
	37	body('licence').custom(isVideoLicenceValid).withMessage('Should have a valid licence'),
	38	body('language').optional().custom(isVideoLanguageValid).withMessage('Should have a valid language'),
	39	body('nsfw').custom(isVideoNSFWValid).withMessage('Should have a valid NSFW attribute'),
	40	body('description').custom(isVideoDescriptionValid).withMessage('Should have a valid description'),
72c7248b	41	body('channelId').custom(isIdValid).withMessage('Should have correct video channel id'),
fd45e8f4	42	body('privacy').custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'),
b60e5f38 C	43	body('tags').optional().custom(isVideoTagsValid).withMessage('Should have correct tags'),
	44
	45	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	46	logger.debug('Checking videosAdd parameters', { parameters: req.body, files: req.files })
	47
	48	checkErrors(req, res, () => {
	49	const videoFile: Express.Multer.File = req.files['videofile'][0]
	50	const user = res.locals.oauth.token.User
	51
38fa2065	52	return db.VideoChannel.loadByIdAndAccount(req.body.channelId, user.Account.id)
72c7248b C	53	.then(videoChannel => {
	54	if (!videoChannel) {
	55	res.status(400)
38fa2065	56	.json({ error: 'Unknown video video channel for this account.' })
72c7248b C	57	.end()
	58
	59	return undefined
	60	}
	61
	62	res.locals.videoChannel = videoChannel
	63
	64	return user.isAbleToUploadVideo(videoFile)
	65	})
b60e5f38 C	66	.then(isAble => {
	67	if (isAble === false) {
	68	res.status(403)
	69	.json({ error: 'The user video quota is exceeded with this video.' })
	70	.end()
	71
	72	return undefined
	73	}
	74
14d3270f	75	return getDurationFromVideoFile(videoFile.path)
b60e5f38 C	76	.catch(err => {
	77	logger.error('Invalid input file in videosAddValidator.', err)
	78	res.status(400)
	79	.json({ error: 'Invalid input file.' })
	80	.end()
	81
	82	return undefined
	83	})
	84	})
	85	.then(duration => {
	86	// Previous test failed, abort
d412e80e	87	if (duration === undefined) return undefined
b60e5f38 C	88
	89	if (!isVideoDurationValid('' + duration)) {
	90	return res.status(400)
	91	.json({
	92	error: 'Duration of the video file is too big (max: ' + CONSTRAINTS_FIELDS.VIDEOS.DURATION.max + 's).'
	93	})
	94	.end()
	95	}
	96
	97	videoFile['duration'] = duration
	98	next()
	99	})
	100	.catch(err => {
	101	logger.error('Error in video add validator', err)
	102	res.sendStatus(500)
b0f9f39e C	103
b0f9f39e C	104	return undefined
b60e5f38 C	105	})
	106	})
	107	}
	108	]
	109
	110	const videosUpdateValidator = [
72c7248b	111	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
b60e5f38 C	112	body('name').optional().custom(isVideoNameValid).withMessage('Should have a valid name'),
	113	body('category').optional().custom(isVideoCategoryValid).withMessage('Should have a valid category'),
	114	body('licence').optional().custom(isVideoLicenceValid).withMessage('Should have a valid licence'),
	115	body('language').optional().custom(isVideoLanguageValid).withMessage('Should have a valid language'),
	116	body('nsfw').optional().custom(isVideoNSFWValid).withMessage('Should have a valid NSFW attribute'),
11474c3c	117	body('privacy').optional().custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'),
b60e5f38 C	118	body('description').optional().custom(isVideoDescriptionValid).withMessage('Should have a valid description'),
	119	body('tags').optional().custom(isVideoTagsValid).withMessage('Should have correct tags'),
	120
	121	(req: express.Request, res: express.Response, next: express.NextFunction) => {
	122	logger.debug('Checking videosUpdate parameters', { parameters: req.body })
	123
	124	checkErrors(req, res, () => {
	125	checkVideoExists(req.params.id, res, () => {
fd45e8f4 C	126	const video = res.locals.video
fd45e8f4 C	127
b60e5f38	128	// We need to make additional checks
fd45e8f4	129	if (video.isOwned() === false) {
b60e5f38	130	return res.status(403)
60862425	131	.json({ error: 'Cannot update video of another server' })
b60e5f38	132	.end()
b0f9f39e C	133	}
b0f9f39e C	134
38fa2065	135	if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
b60e5f38 C	136	return res.status(403)
b60e5f38 C	137	.json({ error: 'Cannot update video of another user' })
bfb3a98f	138	.end()
6fcd19ba	139	}
67100f1f	140
fd45e8f4 C	141	if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) {
	142	return res.status(409)
	143	.json({ error: 'Cannot set "private" a video that was not private anymore.' })
	144	.end()
	145	}
	146
6fcd19ba C	147	next()
6fcd19ba C	148	})
63d00f5d	149	})
b60e5f38 C	150	}
b60e5f38 C	151	]
c173e565	152
b60e5f38	153	const videosGetValidator = [
72c7248b	154	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
34ca3b52	155
b60e5f38 C	156	(req: express.Request, res: express.Response, next: express.NextFunction) => {
b60e5f38 C	157	logger.debug('Checking videosGet parameters', { parameters: req.params })
7b1f49de	158
b60e5f38	159	checkErrors(req, res, () => {
11474c3c C	160	checkVideoExists(req.params.id, res, () => {
	161	const video = res.locals.video
	162
	163	// Video is not private, anyone can access it
	164	if (video.privacy !== VideoPrivacy.PRIVATE) return next()
	165
	166	authenticate(req, res, () => {
38fa2065	167	if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
11474c3c C	168	return res.status(403)
	169	.json({ error: 'Cannot get this private video of another user' })
	170	.end()
	171	}
	172
	173	next()
	174	})
	175	})
b60e5f38 C	176	})
	177	}
	178	]
34ca3b52	179
b60e5f38	180	const videosRemoveValidator = [
72c7248b	181	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
34ca3b52	182
b60e5f38 C	183	(req: express.Request, res: express.Response, next: express.NextFunction) => {
b60e5f38 C	184	logger.debug('Checking videosRemove parameters', { parameters: req.params })
34ca3b52	185
b60e5f38 C	186	checkErrors(req, res, () => {
	187	checkVideoExists(req.params.id, res, () => {
	188	// Check if the user who did the request is able to delete the video
8d468a16	189	checkUserCanDeleteVideo(res.locals.oauth.token.User, res, () => {
b60e5f38 C	190	next()
b60e5f38 C	191	})
198b205c	192	})
34ca3b52	193	})
b60e5f38 C	194	}
b60e5f38 C	195	]
34ca3b52	196
b60e5f38 C	197	const videosSearchValidator = [
	198	param('value').not().isEmpty().withMessage('Should have a valid search'),
	199	query('field').optional().isIn(SEARCHABLE_COLUMNS.VIDEOS).withMessage('Should have correct searchable column'),
c45f7f84	200
b60e5f38 C	201	(req: express.Request, res: express.Response, next: express.NextFunction) => {
b60e5f38 C	202	logger.debug('Checking videosSearch parameters', { parameters: req.params })
c45f7f84	203
b60e5f38 C	204	checkErrors(req, res, next)
	205	}
	206	]
c45f7f84	207
b60e5f38	208	const videoAbuseReportValidator = [
72c7248b	209	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
b60e5f38	210	body('reason').custom(isVideoAbuseReasonValid).withMessage('Should have a valid reason'),
55fa55a9	211
b60e5f38 C	212	(req: express.Request, res: express.Response, next: express.NextFunction) => {
b60e5f38 C	213	logger.debug('Checking videoAbuseReport parameters', { parameters: req.body })
55fa55a9	214
b60e5f38 C	215	checkErrors(req, res, () => {
	216	checkVideoExists(req.params.id, res, next)
	217	})
	218	}
	219	]
55fa55a9	220
b60e5f38	221	const videoRateValidator = [
72c7248b	222	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
b60e5f38	223	body('rating').custom(isVideoRatingTypeValid).withMessage('Should have a valid rate type'),
d38b8281	224
b60e5f38 C	225	(req: express.Request, res: express.Response, next: express.NextFunction) => {
b60e5f38 C	226	logger.debug('Checking videoRate parameters', { parameters: req.body })
d38b8281	227
b60e5f38 C	228	checkErrors(req, res, () => {
	229	checkVideoExists(req.params.id, res, next)
	230	})
	231	}
	232	]
d38b8281	233
4e50b6a1 C	234	const videosShareValidator = [
	235	param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
	236	param('accountId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid account id'),
	237
	238	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	239	logger.debug('Checking videoShare parameters', { parameters: req.params })
	240
	241	if (areValidationErrors(req, res)) return
	242	if (!await isVideoExistsPromise(req.params.id, res)) return
	243
	244	const share = await db.VideoShare.load(req.params.accountId, res.locals.video.id)
	245	if (!share) {
	246	return res.status(404)
	247	.end()
	248	}
	249
	250	res.locals.videoShare = share
	251
	252	return next()
	253	}
	254	]
	255
9f10b292	256	// ---------------------------------------------------------------------------
c45f7f84	257
65fcc311 C	258	export {
	259	videosAddValidator,
	260	videosUpdateValidator,
	261	videosGetValidator,
	262	videosRemoveValidator,
	263	videosSearchValidator,
4e50b6a1	264	videosShareValidator,
65fcc311 C	265
	266	videoAbuseReportValidator,
	267
35bf0c83	268	videoRateValidator
65fcc311	269	}
7b1f49de C	270
	271	// ---------------------------------------------------------------------------
	272
8d468a16	273	function checkUserCanDeleteVideo (user: UserInstance, res: express.Response, callback: () => void) {
198b205c	274	// Retrieve the user who did the request
11474c3c C	275	if (res.locals.video.isOwned() === false) {
11474c3c C	276	return res.status(403)
60862425	277	.json({ error: 'Cannot remove video of another server, blacklist it' })
11474c3c C	278	.end()
	279	}
	280
	281	// Check if the user can delete the video
	282	// The user can delete it if s/he is an admin
38fa2065 C	283	// Or if s/he is the video's account
38fa2065 C	284	const account = res.locals.video.VideoChannel.Account
38fa2065	285	if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) {
11474c3c C	286	return res.status(403)
	287	.json({ error: 'Cannot remove video of another user' })
	288	.end()
	289	}
	290
	291	// If we reach this comment, we can delete the video
	292	callback()
198b205c	293	}