[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / shared / videos.ts

import { Request, Response } from 'express'
import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'
import { VideoModel } from '@server/models/video/video'
import { VideoChannelModel } from '@server/models/video/video-channel'
import { VideoFileModel } from '@server/models/video/video-file'
import {
  MUser,
  MUserAccountId,
  MVideo,
  MVideoAccountLight,
  MVideoFormattableDetails,
  MVideoFullLight,
  MVideoId,
  MVideoImmutable,
  MVideoThumbnail,
  MVideoWithRights
} from '@server/types/models'
import { HttpStatusCode, UserRight } from '@shared/models'

async function doesVideoExist (id: number | string, res: Response, fetchType: VideoLoadType = 'all') {
  const userId = res.locals.oauth ? res.locals.oauth.token.User.id : undefined

  const video = await loadVideo(id, fetchType, userId)

  if (video === null) {
    res.fail({
      status: HttpStatusCode.NOT_FOUND_404,
      message: 'Video not found'
    })
    return false
  }

  switch (fetchType) {
    case 'for-api':
      res.locals.videoAPI = video as MVideoFormattableDetails
      break

    case 'all':
      res.locals.videoAll = video as MVideoFullLight
      break

    case 'only-immutable-attributes':
      res.locals.onlyImmutableVideo = video as MVideoImmutable
      break

    case 'id':
      res.locals.videoId = video as MVideoId
      break

    case 'only-video':
      res.locals.onlyVideo = video as MVideoThumbnail
      break
  }

  return true
}

async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number | string, res: Response) {
  if (!await VideoFileModel.doesVideoExistForVideoFile(id, videoIdOrUUID)) {
    res.fail({
      status: HttpStatusCode.NOT_FOUND_404,
      message: 'VideoFile matching Video not found'
    })
    return false
  }

  return true
}

async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAccountId, res: Response) {
  const videoChannel = await VideoChannelModel.loadAndPopulateAccount(channelId)

  if (videoChannel === null) {
    res.fail({ message: 'Unknown video "video channel" for this instance.' })
    return false
  }

  // Don't check account id if the user can update any video
  if (user.hasRight(UserRight.UPDATE_ANY_VIDEO) === true) {
    res.locals.videoChannel = videoChannel
    return true
  }

  if (videoChannel.Account.id !== user.Account.id) {
    res.fail({
      message: 'Unknown video "video channel" for this account.'
    })
    return false
  }

  res.locals.videoChannel = videoChannel
  return true
}

async function checkCanSeeVideoIfPrivate (req: Request, res: Response, video: MVideo, authenticateInQuery = false) {
  if (!video.requiresAuth()) return true

  const videoWithRights = await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id)

  return checkCanSeePrivateVideo(req, res, videoWithRights, authenticateInQuery)
}

async function checkCanSeePrivateVideo (req: Request, res: Response, video: MVideoWithRights, authenticateInQuery = false) {
  await authenticatePromiseIfNeeded(req, res, authenticateInQuery)

  const user = res.locals.oauth ? res.locals.oauth.token.User : null

  // Only the owner or a user that have blocklist rights can see the video
  if (!user || !user.canGetVideo(video)) {
    return false
  }

  return true
}

function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
  // Retrieve the user who did the request
  if (onlyOwned && video.isOwned() === false) {
    res.fail({
      status: HttpStatusCode.FORBIDDEN_403,
      message: 'Cannot manage a video of another server.'
    })
    return false
  }

  // Check if the user can delete the video
  // The user can delete it if he has the right
  // Or if s/he is the video's account
  const account = video.VideoChannel.Account
  if (user.hasRight(right) === false && account.userId !== user.id) {
    res.fail({
      status: HttpStatusCode.FORBIDDEN_403,
      message: 'Cannot manage a video of another user.'
    })
    return false
  }

  return true
}

// ---------------------------------------------------------------------------

export {
  doesVideoChannelOfAccountExist,
  doesVideoExist,
  doesVideoFileOfVideoExist,
  checkUserCanManageVideo,
  checkCanSeeVideoIfPrivate,
  checkCanSeePrivateVideo
}
Commit	Line	Data
	1	import { Request, Response } from 'express'
	2	import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
	3	import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'
	4	import { VideoModel } from '@server/models/video/video'
	5	import { VideoChannelModel } from '@server/models/video/video-channel'
	6	import { VideoFileModel } from '@server/models/video/video-file'
	7	import {
	8	MUser,
	9	MUserAccountId,
	10	MVideo,
	11	MVideoAccountLight,
	12	MVideoFormattableDetails,
	13	MVideoFullLight,
	14	MVideoId,
	15	MVideoImmutable,
	16	MVideoThumbnail,
	17	MVideoWithRights
	18	} from '@server/types/models'
	19	import { HttpStatusCode, UserRight } from '@shared/models'
	20
	21	async function doesVideoExist (id: number \| string, res: Response, fetchType: VideoLoadType = 'all') {
	22	const userId = res.locals.oauth ? res.locals.oauth.token.User.id : undefined
	23
	24	const video = await loadVideo(id, fetchType, userId)
	25
	26	if (video === null) {
	27	res.fail({
	28	status: HttpStatusCode.NOT_FOUND_404,
	29	message: 'Video not found'
	30	})
	31	return false
	32	}
	33
	34	switch (fetchType) {
	35	case 'for-api':
	36	res.locals.videoAPI = video as MVideoFormattableDetails
	37	break
	38
	39	case 'all':
	40	res.locals.videoAll = video as MVideoFullLight
	41	break
	42
	43	case 'only-immutable-attributes':
	44	res.locals.onlyImmutableVideo = video as MVideoImmutable
	45	break
	46
	47	case 'id':
	48	res.locals.videoId = video as MVideoId
	49	break
	50
	51	case 'only-video':
	52	res.locals.onlyVideo = video as MVideoThumbnail
	53	break
	54	}
	55
	56	return true
	57	}
	58
	59	async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number \| string, res: Response) {
	60	if (!await VideoFileModel.doesVideoExistForVideoFile(id, videoIdOrUUID)) {
	61	res.fail({
	62	status: HttpStatusCode.NOT_FOUND_404,
	63	message: 'VideoFile matching Video not found'
	64	})
	65	return false
	66	}
	67
	68	return true
	69	}
	70
	71	async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAccountId, res: Response) {
	72	const videoChannel = await VideoChannelModel.loadAndPopulateAccount(channelId)
	73
	74	if (videoChannel === null) {
	75	res.fail({ message: 'Unknown video "video channel" for this instance.' })
	76	return false
	77	}
	78
	79	// Don't check account id if the user can update any video
	80	if (user.hasRight(UserRight.UPDATE_ANY_VIDEO) === true) {
	81	res.locals.videoChannel = videoChannel
	82	return true
	83	}
	84
	85	if (videoChannel.Account.id !== user.Account.id) {
	86	res.fail({
	87	message: 'Unknown video "video channel" for this account.'
	88	})
	89	return false
	90	}
	91
	92	res.locals.videoChannel = videoChannel
	93	return true
	94	}
	95
	96	async function checkCanSeeVideoIfPrivate (req: Request, res: Response, video: MVideo, authenticateInQuery = false) {
	97	if (!video.requiresAuth()) return true
	98
	99	const videoWithRights = await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id)
	100
	101	return checkCanSeePrivateVideo(req, res, videoWithRights, authenticateInQuery)
	102	}
	103
	104	async function checkCanSeePrivateVideo (req: Request, res: Response, video: MVideoWithRights, authenticateInQuery = false) {
	105	await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
	106
	107	const user = res.locals.oauth ? res.locals.oauth.token.User : null
	108
	109	// Only the owner or a user that have blocklist rights can see the video
	110	if (!user \|\| !user.canGetVideo(video)) {
	111	return false
	112	}
	113
	114	return true
	115	}
	116
	117	function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
	118	// Retrieve the user who did the request
	119	if (onlyOwned && video.isOwned() === false) {
	120	res.fail({
	121	status: HttpStatusCode.FORBIDDEN_403,
	122	message: 'Cannot manage a video of another server.'
	123	})
	124	return false
	125	}
	126
	127	// Check if the user can delete the video
	128	// The user can delete it if he has the right
	129	// Or if s/he is the video's account
	130	const account = video.VideoChannel.Account
	131	if (user.hasRight(right) === false && account.userId !== user.id) {
	132	res.fail({
	133	status: HttpStatusCode.FORBIDDEN_403,
	134	message: 'Cannot manage a video of another user.'
	135	})
	136	return false
	137	}
	138
	139	return true
	140	}
	141
	142	// ---------------------------------------------------------------------------
	143
	144	export {
	145	doesVideoChannelOfAccountExist,
	146	doesVideoExist,
	147	doesVideoFileOfVideoExist,
	148	checkUserCanManageVideo,
	149	checkCanSeeVideoIfPrivate,
	150	checkCanSeePrivateVideo
	151	}