]>
Commit | Line | Data |
---|---|---|
1 | import * as express from 'express' | |
2 | import 'express-validator' | |
3 | import { body, param, ValidationChain } from 'express-validator/check' | |
4 | import { UserRight, VideoChangeOwnershipStatus, VideoPrivacy } from '../../../shared' | |
5 | import { | |
6 | isBooleanValid, | |
7 | isDateValid, | |
8 | isIdOrUUIDValid, | |
9 | isIdValid, | |
10 | isUUIDValid, | |
11 | toIntOrNull, | |
12 | toValueOrNull | |
13 | } from '../../helpers/custom-validators/misc' | |
14 | import { | |
15 | checkUserCanManageVideo, | |
16 | isScheduleVideoUpdatePrivacyValid, | |
17 | isVideoCategoryValid, | |
18 | isVideoChannelOfAccountExist, | |
19 | isVideoDescriptionValid, | |
20 | isVideoExist, | |
21 | isVideoFile, | |
22 | isVideoImage, | |
23 | isVideoLanguageValid, | |
24 | isVideoLicenceValid, | |
25 | isVideoNameValid, | |
26 | isVideoPrivacyValid, | |
27 | isVideoRatingTypeValid, | |
28 | isVideoSupportValid, | |
29 | isVideoTagsValid | |
30 | } from '../../helpers/custom-validators/videos' | |
31 | import { getDurationFromVideoFile } from '../../helpers/ffmpeg-utils' | |
32 | import { logger } from '../../helpers/logger' | |
33 | import { CONSTRAINTS_FIELDS } from '../../initializers' | |
34 | import { VideoShareModel } from '../../models/video/video-share' | |
35 | import { authenticate } from '../oauth' | |
36 | import { areValidationErrors } from './utils' | |
37 | import { cleanUpReqFiles } from '../../helpers/express-utils' | |
38 | import { VideoModel } from '../../models/video/video' | |
39 | import { UserModel } from '../../models/account/user' | |
40 | import { checkUserCanTerminateOwnershipChange, doesChangeVideoOwnershipExist } from '../../helpers/custom-validators/video-ownership' | |
41 | import { VideoChangeOwnershipAccept } from '../../../shared/models/videos/video-change-ownership-accept.model' | |
42 | import { VideoChangeOwnershipModel } from '../../models/video/video-change-ownership' | |
43 | import { AccountModel } from '../../models/account/account' | |
44 | ||
45 | const videosAddValidator = getCommonVideoAttributes().concat([ | |
46 | body('videofile') | |
47 | .custom((value, { req }) => isVideoFile(req.files)).withMessage( | |
48 | 'This file is not supported or too large. Please, make sure it is of the following type: ' | |
49 | + CONSTRAINTS_FIELDS.VIDEOS.EXTNAME.join(', ') | |
50 | ), | |
51 | body('name').custom(isVideoNameValid).withMessage('Should have a valid name'), | |
52 | body('channelId') | |
53 | .toInt() | |
54 | .custom(isIdValid).withMessage('Should have correct video channel id'), | |
55 | ||
56 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | |
57 | logger.debug('Checking videosAdd parameters', { parameters: req.body, files: req.files }) | |
58 | ||
59 | if (areValidationErrors(req, res)) return cleanUpReqFiles(req) | |
60 | if (areErrorsInScheduleUpdate(req, res)) return cleanUpReqFiles(req) | |
61 | ||
62 | const videoFile: Express.Multer.File = req.files['videofile'][0] | |
63 | const user = res.locals.oauth.token.User | |
64 | ||
65 | if (!await isVideoChannelOfAccountExist(req.body.channelId, user, res)) return cleanUpReqFiles(req) | |
66 | ||
67 | const isAble = await user.isAbleToUploadVideo(videoFile) | |
68 | if (isAble === false) { | |
69 | res.status(403) | |
70 | .json({ error: 'The user video quota is exceeded with this video.' }) | |
71 | .end() | |
72 | ||
73 | return cleanUpReqFiles(req) | |
74 | } | |
75 | ||
76 | let duration: number | |
77 | ||
78 | try { | |
79 | duration = await getDurationFromVideoFile(videoFile.path) | |
80 | } catch (err) { | |
81 | logger.error('Invalid input file in videosAddValidator.', { err }) | |
82 | res.status(400) | |
83 | .json({ error: 'Invalid input file.' }) | |
84 | .end() | |
85 | ||
86 | return cleanUpReqFiles(req) | |
87 | } | |
88 | ||
89 | videoFile['duration'] = duration | |
90 | ||
91 | return next() | |
92 | } | |
93 | ]) | |
94 | ||
95 | const videosUpdateValidator = getCommonVideoAttributes().concat([ | |
96 | param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), | |
97 | body('name') | |
98 | .optional() | |
99 | .custom(isVideoNameValid).withMessage('Should have a valid name'), | |
100 | body('channelId') | |
101 | .optional() | |
102 | .toInt() | |
103 | .custom(isIdValid).withMessage('Should have correct video channel id'), | |
104 | ||
105 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | |
106 | logger.debug('Checking videosUpdate parameters', { parameters: req.body }) | |
107 | ||
108 | if (areValidationErrors(req, res)) return cleanUpReqFiles(req) | |
109 | if (areErrorsInScheduleUpdate(req, res)) return cleanUpReqFiles(req) | |
110 | if (!await isVideoExist(req.params.id, res)) return cleanUpReqFiles(req) | |
111 | ||
112 | const video = res.locals.video | |
113 | ||
114 | // Check if the user who did the request is able to update the video | |
115 | const user = res.locals.oauth.token.User | |
116 | if (!checkUserCanManageVideo(user, res.locals.video, UserRight.UPDATE_ANY_VIDEO, res)) return cleanUpReqFiles(req) | |
117 | ||
118 | if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) { | |
119 | cleanUpReqFiles(req) | |
120 | return res.status(409) | |
121 | .json({ error: 'Cannot set "private" a video that was not private.' }) | |
122 | .end() | |
123 | } | |
124 | ||
125 | if (req.body.channelId && !await isVideoChannelOfAccountExist(req.body.channelId, user, res)) return cleanUpReqFiles(req) | |
126 | ||
127 | return next() | |
128 | } | |
129 | ]) | |
130 | ||
131 | const videosGetValidator = [ | |
132 | param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), | |
133 | ||
134 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | |
135 | logger.debug('Checking videosGet parameters', { parameters: req.params }) | |
136 | ||
137 | if (areValidationErrors(req, res)) return | |
138 | if (!await isVideoExist(req.params.id, res)) return | |
139 | ||
140 | const video: VideoModel = res.locals.video | |
141 | ||
142 | // Video private or blacklisted | |
143 | if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) { | |
144 | return authenticate(req, res, () => { | |
145 | const user: UserModel = res.locals.oauth.token.User | |
146 | ||
147 | // Only the owner or a user that have blacklist rights can see the video | |
148 | if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) { | |
149 | return res.status(403) | |
150 | .json({ error: 'Cannot get this private or blacklisted video.' }) | |
151 | .end() | |
152 | } | |
153 | ||
154 | return next() | |
155 | }) | |
156 | ||
157 | return | |
158 | } | |
159 | ||
160 | // Video is public, anyone can access it | |
161 | if (video.privacy === VideoPrivacy.PUBLIC) return next() | |
162 | ||
163 | // Video is unlisted, check we used the uuid to fetch it | |
164 | if (video.privacy === VideoPrivacy.UNLISTED) { | |
165 | if (isUUIDValid(req.params.id)) return next() | |
166 | ||
167 | // Don't leak this unlisted video | |
168 | return res.status(404).end() | |
169 | } | |
170 | } | |
171 | ] | |
172 | ||
173 | const videosRemoveValidator = [ | |
174 | param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), | |
175 | ||
176 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | |
177 | logger.debug('Checking videosRemove parameters', { parameters: req.params }) | |
178 | ||
179 | if (areValidationErrors(req, res)) return | |
180 | if (!await isVideoExist(req.params.id, res)) return | |
181 | ||
182 | // Check if the user who did the request is able to delete the video | |
183 | if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.REMOVE_ANY_VIDEO, res)) return | |
184 | ||
185 | return next() | |
186 | } | |
187 | ] | |
188 | ||
189 | const videoRateValidator = [ | |
190 | param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), | |
191 | body('rating').custom(isVideoRatingTypeValid).withMessage('Should have a valid rate type'), | |
192 | ||
193 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | |
194 | logger.debug('Checking videoRate parameters', { parameters: req.body }) | |
195 | ||
196 | if (areValidationErrors(req, res)) return | |
197 | if (!await isVideoExist(req.params.id, res)) return | |
198 | ||
199 | return next() | |
200 | } | |
201 | ] | |
202 | ||
203 | const videosShareValidator = [ | |
204 | param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), | |
205 | param('accountId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid account id'), | |
206 | ||
207 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | |
208 | logger.debug('Checking videoShare parameters', { parameters: req.params }) | |
209 | ||
210 | if (areValidationErrors(req, res)) return | |
211 | if (!await isVideoExist(req.params.id, res)) return | |
212 | ||
213 | const share = await VideoShareModel.load(req.params.accountId, res.locals.video.id, undefined) | |
214 | if (!share) { | |
215 | return res.status(404) | |
216 | .end() | |
217 | } | |
218 | ||
219 | res.locals.videoShare = share | |
220 | return next() | |
221 | } | |
222 | ] | |
223 | ||
224 | const videosChangeOwnershipValidator = [ | |
225 | param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), | |
226 | ||
227 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | |
228 | logger.debug('Checking changeOwnership parameters', { parameters: req.params }) | |
229 | ||
230 | if (areValidationErrors(req, res)) return | |
231 | if (!await isVideoExist(req.params.videoId, res)) return | |
232 | ||
233 | // Check if the user who did the request is able to change the ownership of the video | |
234 | if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.CHANGE_VIDEO_OWNERSHIP, res)) return | |
235 | ||
236 | const nextOwner = await AccountModel.loadLocalByName(req.body.username) | |
237 | if (!nextOwner) { | |
238 | res.status(400) | |
239 | .type('json') | |
240 | .end() | |
241 | return | |
242 | } | |
243 | res.locals.nextOwner = nextOwner | |
244 | ||
245 | return next() | |
246 | } | |
247 | ] | |
248 | ||
249 | const videosTerminateChangeOwnershipValidator = [ | |
250 | param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'), | |
251 | ||
252 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | |
253 | logger.debug('Checking changeOwnership parameters', { parameters: req.params }) | |
254 | ||
255 | if (areValidationErrors(req, res)) return | |
256 | if (!await doesChangeVideoOwnershipExist(req.params.id, res)) return | |
257 | ||
258 | // Check if the user who did the request is able to change the ownership of the video | |
259 | if (!checkUserCanTerminateOwnershipChange(res.locals.oauth.token.User, res.locals.videoChangeOwnership, res)) return | |
260 | ||
261 | return next() | |
262 | }, | |
263 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | |
264 | const videoChangeOwnership = res.locals.videoChangeOwnership as VideoChangeOwnershipModel | |
265 | ||
266 | if (videoChangeOwnership.status === VideoChangeOwnershipStatus.WAITING) { | |
267 | return next() | |
268 | } else { | |
269 | res.status(403) | |
270 | .json({ error: 'Ownership already accepted or refused' }) | |
271 | .end() | |
272 | return | |
273 | } | |
274 | } | |
275 | ] | |
276 | ||
277 | const videosAcceptChangeOwnershipValidator = [ | |
278 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | |
279 | const body = req.body as VideoChangeOwnershipAccept | |
280 | if (!await isVideoChannelOfAccountExist(body.channelId, res.locals.oauth.token.User, res)) return | |
281 | ||
282 | const user = res.locals.oauth.token.User | |
283 | const videoChangeOwnership = res.locals.videoChangeOwnership as VideoChangeOwnershipModel | |
284 | const isAble = await user.isAbleToUploadVideo(videoChangeOwnership.Video.getOriginalFile()) | |
285 | if (isAble === false) { | |
286 | res.status(403) | |
287 | .json({ error: 'The user video quota is exceeded with this video.' }) | |
288 | .end() | |
289 | return | |
290 | } | |
291 | ||
292 | return next() | |
293 | } | |
294 | ] | |
295 | ||
296 | function getCommonVideoAttributes () { | |
297 | return [ | |
298 | body('thumbnailfile') | |
299 | .custom((value, { req }) => isVideoImage(req.files, 'thumbnailfile')).withMessage( | |
300 | 'This thumbnail file is not supported or too large. Please, make sure it is of the following type: ' | |
301 | + CONSTRAINTS_FIELDS.VIDEOS.IMAGE.EXTNAME.join(', ') | |
302 | ), | |
303 | body('previewfile') | |
304 | .custom((value, { req }) => isVideoImage(req.files, 'previewfile')).withMessage( | |
305 | 'This preview file is not supported or too large. Please, make sure it is of the following type: ' | |
306 | + CONSTRAINTS_FIELDS.VIDEOS.IMAGE.EXTNAME.join(', ') | |
307 | ), | |
308 | ||
309 | body('category') | |
310 | .optional() | |
311 | .customSanitizer(toIntOrNull) | |
312 | .custom(isVideoCategoryValid).withMessage('Should have a valid category'), | |
313 | body('licence') | |
314 | .optional() | |
315 | .customSanitizer(toIntOrNull) | |
316 | .custom(isVideoLicenceValid).withMessage('Should have a valid licence'), | |
317 | body('language') | |
318 | .optional() | |
319 | .customSanitizer(toValueOrNull) | |
320 | .custom(isVideoLanguageValid).withMessage('Should have a valid language'), | |
321 | body('nsfw') | |
322 | .optional() | |
323 | .toBoolean() | |
324 | .custom(isBooleanValid).withMessage('Should have a valid NSFW attribute'), | |
325 | body('waitTranscoding') | |
326 | .optional() | |
327 | .toBoolean() | |
328 | .custom(isBooleanValid).withMessage('Should have a valid wait transcoding attribute'), | |
329 | body('privacy') | |
330 | .optional() | |
331 | .toInt() | |
332 | .custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'), | |
333 | body('description') | |
334 | .optional() | |
335 | .customSanitizer(toValueOrNull) | |
336 | .custom(isVideoDescriptionValid).withMessage('Should have a valid description'), | |
337 | body('support') | |
338 | .optional() | |
339 | .customSanitizer(toValueOrNull) | |
340 | .custom(isVideoSupportValid).withMessage('Should have a valid support text'), | |
341 | body('tags') | |
342 | .optional() | |
343 | .customSanitizer(toValueOrNull) | |
344 | .custom(isVideoTagsValid).withMessage('Should have correct tags'), | |
345 | body('commentsEnabled') | |
346 | .optional() | |
347 | .toBoolean() | |
348 | .custom(isBooleanValid).withMessage('Should have comments enabled boolean'), | |
349 | ||
350 | body('scheduleUpdate') | |
351 | .optional() | |
352 | .customSanitizer(toValueOrNull), | |
353 | body('scheduleUpdate.updateAt') | |
354 | .optional() | |
355 | .custom(isDateValid).withMessage('Should have a valid schedule update date'), | |
356 | body('scheduleUpdate.privacy') | |
357 | .optional() | |
358 | .toInt() | |
359 | .custom(isScheduleVideoUpdatePrivacyValid).withMessage('Should have correct schedule update privacy') | |
360 | ] as (ValidationChain | express.Handler)[] | |
361 | } | |
362 | ||
363 | // --------------------------------------------------------------------------- | |
364 | ||
365 | export { | |
366 | videosAddValidator, | |
367 | videosUpdateValidator, | |
368 | videosGetValidator, | |
369 | videosRemoveValidator, | |
370 | videosShareValidator, | |
371 | ||
372 | videoRateValidator, | |
373 | ||
374 | videosChangeOwnershipValidator, | |
375 | videosTerminateChangeOwnershipValidator, | |
376 | videosAcceptChangeOwnershipValidator, | |
377 | ||
378 | getCommonVideoAttributes | |
379 | } | |
380 | ||
381 | // --------------------------------------------------------------------------- | |
382 | ||
383 | function areErrorsInScheduleUpdate (req: express.Request, res: express.Response) { | |
384 | if (req.body.scheduleUpdate) { | |
385 | if (!req.body.scheduleUpdate.updateAt) { | |
386 | res.status(400) | |
387 | .json({ error: 'Schedule update at is mandatory.' }) | |
388 | .end() | |
389 | ||
390 | return true | |
391 | } | |
392 | } | |
393 | ||
394 | return false | |
395 | } |