]>
Commit | Line | Data |
---|---|---|
1 | import { Request, Response } from 'express' | |
2 | import { loadVideo, VideoLoadType } from '@server/lib/model-loaders' | |
3 | import { authenticatePromiseIfNeeded } from '@server/middlewares/auth' | |
4 | import { VideoModel } from '@server/models/video/video' | |
5 | import { VideoChannelModel } from '@server/models/video/video-channel' | |
6 | import { VideoFileModel } from '@server/models/video/video-file' | |
7 | import { | |
8 | MUser, | |
9 | MUserAccountId, | |
10 | MVideo, | |
11 | MVideoAccountLight, | |
12 | MVideoFormattableDetails, | |
13 | MVideoFullLight, | |
14 | MVideoId, | |
15 | MVideoImmutable, | |
16 | MVideoThumbnail, | |
17 | MVideoWithRights | |
18 | } from '@server/types/models' | |
19 | import { HttpStatusCode, UserRight } from '@shared/models' | |
20 | ||
21 | async function doesVideoExist (id: number | string, res: Response, fetchType: VideoLoadType = 'all') { | |
22 | const userId = res.locals.oauth ? res.locals.oauth.token.User.id : undefined | |
23 | ||
24 | const video = await loadVideo(id, fetchType, userId) | |
25 | ||
26 | if (video === null) { | |
27 | res.fail({ | |
28 | status: HttpStatusCode.NOT_FOUND_404, | |
29 | message: 'Video not found' | |
30 | }) | |
31 | return false | |
32 | } | |
33 | ||
34 | switch (fetchType) { | |
35 | case 'for-api': | |
36 | res.locals.videoAPI = video as MVideoFormattableDetails | |
37 | break | |
38 | ||
39 | case 'all': | |
40 | res.locals.videoAll = video as MVideoFullLight | |
41 | break | |
42 | ||
43 | case 'only-immutable-attributes': | |
44 | res.locals.onlyImmutableVideo = video as MVideoImmutable | |
45 | break | |
46 | ||
47 | case 'id': | |
48 | res.locals.videoId = video as MVideoId | |
49 | break | |
50 | ||
51 | case 'only-video': | |
52 | res.locals.onlyVideo = video as MVideoThumbnail | |
53 | break | |
54 | } | |
55 | ||
56 | return true | |
57 | } | |
58 | ||
59 | async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number | string, res: Response) { | |
60 | if (!await VideoFileModel.doesVideoExistForVideoFile(id, videoIdOrUUID)) { | |
61 | res.fail({ | |
62 | status: HttpStatusCode.NOT_FOUND_404, | |
63 | message: 'VideoFile matching Video not found' | |
64 | }) | |
65 | return false | |
66 | } | |
67 | ||
68 | return true | |
69 | } | |
70 | ||
71 | async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAccountId, res: Response) { | |
72 | const videoChannel = await VideoChannelModel.loadAndPopulateAccount(channelId) | |
73 | ||
74 | if (videoChannel === null) { | |
75 | res.fail({ message: 'Unknown video "video channel" for this instance.' }) | |
76 | return false | |
77 | } | |
78 | ||
79 | // Don't check account id if the user can update any video | |
80 | if (user.hasRight(UserRight.UPDATE_ANY_VIDEO) === true) { | |
81 | res.locals.videoChannel = videoChannel | |
82 | return true | |
83 | } | |
84 | ||
85 | if (videoChannel.Account.id !== user.Account.id) { | |
86 | res.fail({ | |
87 | message: 'Unknown video "video channel" for this account.' | |
88 | }) | |
89 | return false | |
90 | } | |
91 | ||
92 | res.locals.videoChannel = videoChannel | |
93 | return true | |
94 | } | |
95 | ||
96 | async function checkCanSeeVideoIfPrivate (req: Request, res: Response, video: MVideo, authenticateInQuery = false) { | |
97 | if (!video.requiresAuth()) return true | |
98 | ||
99 | const videoWithRights = await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id) | |
100 | ||
101 | return checkCanSeePrivateVideo(req, res, videoWithRights, authenticateInQuery) | |
102 | } | |
103 | ||
104 | async function checkCanSeePrivateVideo (req: Request, res: Response, video: MVideoWithRights, authenticateInQuery = false) { | |
105 | await authenticatePromiseIfNeeded(req, res, authenticateInQuery) | |
106 | ||
107 | const user = res.locals.oauth ? res.locals.oauth.token.User : null | |
108 | ||
109 | // Only the owner or a user that have blocklist rights can see the video | |
110 | if (!user || !user.canGetVideo(video)) { | |
111 | return false | |
112 | } | |
113 | ||
114 | return true | |
115 | } | |
116 | ||
117 | function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) { | |
118 | // Retrieve the user who did the request | |
119 | if (onlyOwned && video.isOwned() === false) { | |
120 | res.fail({ | |
121 | status: HttpStatusCode.FORBIDDEN_403, | |
122 | message: 'Cannot manage a video of another server.' | |
123 | }) | |
124 | return false | |
125 | } | |
126 | ||
127 | // Check if the user can delete the video | |
128 | // The user can delete it if he has the right | |
129 | // Or if s/he is the video's account | |
130 | const account = video.VideoChannel.Account | |
131 | if (user.hasRight(right) === false && account.userId !== user.id) { | |
132 | res.fail({ | |
133 | status: HttpStatusCode.FORBIDDEN_403, | |
134 | message: 'Cannot manage a video of another user.' | |
135 | }) | |
136 | return false | |
137 | } | |
138 | ||
139 | return true | |
140 | } | |
141 | ||
142 | // --------------------------------------------------------------------------- | |
143 | ||
144 | export { | |
145 | doesVideoChannelOfAccountExist, | |
146 | doesVideoExist, | |
147 | doesVideoFileOfVideoExist, | |
148 | checkUserCanManageVideo, | |
149 | checkCanSeeVideoIfPrivate, | |
150 | checkCanSeePrivateVideo | |
151 | } |