server/middlewares/validators/shared/videos.ts

   1 import { Request, Response } from 'express'
   2 import { isUUIDValid } from '@server/helpers/custom-validators/misc'
   3 import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
   4 import { isAbleToUploadVideo } from '@server/lib/user'
   5 import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'
   6 import { VideoModel } from '@server/models/video/video'
   7 import { VideoChannelModel } from '@server/models/video/video-channel'
   8 import { VideoFileModel } from '@server/models/video/video-file'
   9 import {
  10   MUser,
  11   MUserAccountId,
  12   MUserId,
  13   MVideo,
  14   MVideoAccountLight,
  15   MVideoFormattableDetails,
  16   MVideoFullLight,
  17   MVideoId,
  18   MVideoImmutable,
  19   MVideoThumbnail,
  20   MVideoWithRights
  21 } from '@server/types/models'
  22 import { HttpStatusCode, ServerErrorCode, UserRight, VideoPrivacy } from '@shared/models'
  23
  24 async function doesVideoExist (id: number | string, res: Response, fetchType: VideoLoadType = 'all') {
  25   const userId = res.locals.oauth ? res.locals.oauth.token.User.id : undefined
  26
  27   const video = await loadVideo(id, fetchType, userId)
  28
  29   if (!video) {
  30     res.fail({
  31       status: HttpStatusCode.NOT_FOUND_404,
  32       message: 'Video not found'
  33     })
  34
  35     return false
  36   }
  37
  38   switch (fetchType) {
  39     case 'for-api':
  40       res.locals.videoAPI = video as MVideoFormattableDetails
  41       break
  42
  43     case 'all':
  44       res.locals.videoAll = video as MVideoFullLight
  45       break
  46
  47     case 'only-immutable-attributes':
  48       res.locals.onlyImmutableVideo = video as MVideoImmutable
  49       break
  50
  51     case 'id':
  52       res.locals.videoId = video as MVideoId
  53       break
  54
  55     case 'only-video':
  56       res.locals.onlyVideo = video as MVideoThumbnail
  57       break
  58   }
  59
  60   return true
  61 }
  62
  63 // ---------------------------------------------------------------------------
  64
  65 async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number | string, res: Response) {
  66   if (!await VideoFileModel.doesVideoExistForVideoFile(id, videoIdOrUUID)) {
  67     res.fail({
  68       status: HttpStatusCode.NOT_FOUND_404,
  69       message: 'VideoFile matching Video not found'
  70     })
  71     return false
  72   }
  73
  74   return true
  75 }
  76
  77 // ---------------------------------------------------------------------------
  78
  79 async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAccountId, res: Response) {
  80   const videoChannel = await VideoChannelModel.loadAndPopulateAccount(channelId)
  81
  82   if (videoChannel === null) {
  83     res.fail({ message: 'Unknown video "video channel" for this instance.' })
  84     return false
  85   }
  86
  87   // Don't check account id if the user can update any video
  88   if (user.hasRight(UserRight.UPDATE_ANY_VIDEO) === true) {
  89     res.locals.videoChannel = videoChannel
  90     return true
  91   }
  92
  93   if (videoChannel.Account.id !== user.Account.id) {
  94     res.fail({
  95       message: 'Unknown video "video channel" for this account.'
  96     })
  97     return false
  98   }
  99
 100   res.locals.videoChannel = videoChannel
 101   return true
 102 }
 103
 104 // ---------------------------------------------------------------------------
 105
 106 async function checkCanSeeVideo (options: {
 107   req: Request
 108   res: Response
 109   paramId: string
 110   video: MVideo
 111   authenticateInQuery?: boolean // default false
 112 }) {
 113   const { req, res, video, paramId, authenticateInQuery = false } = options
 114
 115   if (video.requiresAuth()) {
 116     return checkCanSeeAuthVideo(req, res, video, authenticateInQuery)
 117   }
 118
 119   if (video.privacy === VideoPrivacy.UNLISTED) {
 120     if (isUUIDValid(paramId)) return true
 121
 122     return checkCanSeeAuthVideo(req, res, video, authenticateInQuery)
 123   }
 124
 125   if (video.privacy === VideoPrivacy.PUBLIC) return true
 126
 127   throw new Error('Fatal error when checking video right ' + video.url)
 128 }
 129
 130 async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoId | MVideoWithRights, authenticateInQuery = false) {
 131   const fail = () => {
 132     res.fail({
 133       status: HttpStatusCode.FORBIDDEN_403,
 134       message: 'Cannot fetch information of private/internal/blocked video'
 135     })
 136
 137     return false
 138   }
 139
 140   await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
 141
 142   const user = res.locals.oauth?.token.User
 143   if (!user) return fail()
 144
 145   const videoWithRights = (video as MVideoWithRights).VideoChannel?.Account?.userId
 146     ? video as MVideoWithRights
 147     : await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id)
 148
 149   const privacy = videoWithRights.privacy
 150
 151   if (privacy === VideoPrivacy.INTERNAL) {
 152     // We know we have a user
 153     return true
 154   }
 155
 156   const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id
 157   if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) {
 158     if (isOwnedByUser && user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true
 159
 160     return fail()
 161   }
 162
 163   if (videoWithRights.isBlacklisted()) {
 164     if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true
 165
 166     return fail()
 167   }
 168
 169   // Should not happen
 170   return fail()
 171 }
 172
 173 // ---------------------------------------------------------------------------
 174
 175 function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
 176   // Retrieve the user who did the request
 177   if (onlyOwned && video.isOwned() === false) {
 178     res.fail({
 179       status: HttpStatusCode.FORBIDDEN_403,
 180       message: 'Cannot manage a video of another server.'
 181     })
 182     return false
 183   }
 184
 185   // Check if the user can delete the video
 186   // The user can delete it if he has the right
 187   // Or if s/he is the video's account
 188   const account = video.VideoChannel.Account
 189   if (user.hasRight(right) === false && account.userId !== user.id) {
 190     res.fail({
 191       status: HttpStatusCode.FORBIDDEN_403,
 192       message: 'Cannot manage a video of another user.'
 193     })
 194     return false
 195   }
 196
 197   return true
 198 }
 199
 200 // ---------------------------------------------------------------------------
 201
 202 async function checkUserQuota (user: MUserId, videoFileSize: number, res: Response) {
 203   if (await isAbleToUploadVideo(user.id, videoFileSize) === false) {
 204     res.fail({
 205       status: HttpStatusCode.PAYLOAD_TOO_LARGE_413,
 206       message: 'The user video quota is exceeded with this video.',
 207       type: ServerErrorCode.QUOTA_REACHED
 208     })
 209     return false
 210   }
 211
 212   return true
 213 }
 214
 215 // ---------------------------------------------------------------------------
 216
 217 export {
 218   doesVideoChannelOfAccountExist,
 219   doesVideoExist,
 220   doesVideoFileOfVideoExist,
 221
 222   checkUserCanManageVideo,
 223   checkCanSeeVideo,
 224   checkUserQuota
 225 }