server/middlewares/validators/shared/videos.ts

   1 import { Request, Response } from 'express'
   2 import { isUUIDValid } from '@server/helpers/custom-validators/misc'
   3 import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
   4 import { isAbleToUploadVideo } from '@server/lib/user'
   5 import { authenticatePromise } from '@server/middlewares/auth'
   6 import { VideoModel } from '@server/models/video/video'
   7 import { VideoChannelModel } from '@server/models/video/video-channel'
   8 import { VideoFileModel } from '@server/models/video/video-file'
   9 import {
  10   MUser,
  11   MUserAccountId,
  12   MUserId,
  13   MVideo,
  14   MVideoAccountLight,
  15   MVideoFormattableDetails,
  16   MVideoFullLight,
  17   MVideoId,
  18   MVideoImmutable,
  19   MVideoThumbnail,
  20   MVideoWithRights
  21 } from '@server/types/models'
  22 import { HttpStatusCode, ServerErrorCode, UserRight, VideoPrivacy } from '@shared/models'
  23
  24 async function doesVideoExist (id: number | string, res: Response, fetchType: VideoLoadType = 'all') {
  25   const userId = res.locals.oauth ? res.locals.oauth.token.User.id : undefined
  26
  27   const video = await loadVideo(id, fetchType, userId)
  28
  29   if (!video) {
  30     res.fail({
  31       status: HttpStatusCode.NOT_FOUND_404,
  32       message: 'Video not found'
  33     })
  34
  35     return false
  36   }
  37
  38   switch (fetchType) {
  39     case 'for-api':
  40       res.locals.videoAPI = video as MVideoFormattableDetails
  41       break
  42
  43     case 'all':
  44       res.locals.videoAll = video as MVideoFullLight
  45       break
  46
  47     case 'only-immutable-attributes':
  48       res.locals.onlyImmutableVideo = video as MVideoImmutable
  49       break
  50
  51     case 'id':
  52       res.locals.videoId = video as MVideoId
  53       break
  54
  55     case 'only-video':
  56       res.locals.onlyVideo = video as MVideoThumbnail
  57       break
  58   }
  59
  60   return true
  61 }
  62
  63 // ---------------------------------------------------------------------------
  64
  65 async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number | string, res: Response) {
  66   if (!await VideoFileModel.doesVideoExistForVideoFile(id, videoIdOrUUID)) {
  67     res.fail({
  68       status: HttpStatusCode.NOT_FOUND_404,
  69       message: 'VideoFile matching Video not found'
  70     })
  71     return false
  72   }
  73
  74   return true
  75 }
  76
  77 // ---------------------------------------------------------------------------
  78
  79 async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAccountId, res: Response) {
  80   const videoChannel = await VideoChannelModel.loadAndPopulateAccount(channelId)
  81
  82   if (videoChannel === null) {
  83     res.fail({ message: 'Unknown video "video channel" for this instance.' })
  84     return false
  85   }
  86
  87   // Don't check account id if the user can update any video
  88   if (user.hasRight(UserRight.UPDATE_ANY_VIDEO) === true) {
  89     res.locals.videoChannel = videoChannel
  90     return true
  91   }
  92
  93   if (videoChannel.Account.id !== user.Account.id) {
  94     res.fail({
  95       message: 'Unknown video "video channel" for this account.'
  96     })
  97     return false
  98   }
  99
 100   res.locals.videoChannel = videoChannel
 101   return true
 102 }
 103
 104 // ---------------------------------------------------------------------------
 105
 106 async function checkCanSeeVideo (options: {
 107   req: Request
 108   res: Response
 109   paramId: string
 110   video: MVideo
 111   authenticateInQuery?: boolean // default false
 112 }) {
 113   const { req, res, video, paramId, authenticateInQuery = false } = options
 114
 115   if (video.requiresAuth()) {
 116     return checkCanSeeAuthVideo(req, res, video, authenticateInQuery)
 117   }
 118
 119   if (video.privacy === VideoPrivacy.UNLISTED) {
 120     if (isUUIDValid(paramId)) return true
 121
 122     return checkCanSeeAuthVideo(req, res, video, authenticateInQuery)
 123   }
 124
 125   if (video.privacy === VideoPrivacy.PUBLIC) return true
 126
 127   throw new Error('Fatal error when checking video right ' + video.url)
 128 }
 129
 130 async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoId | MVideoWithRights, authenticateInQuery = false) {
 131   const fail = () => {
 132     res.fail({
 133       status: HttpStatusCode.FORBIDDEN_403,
 134       message: 'Cannot fetch information of private/internal/blocked video'
 135     })
 136
 137     return false
 138   }
 139
 140   await authenticatePromise(req, res, authenticateInQuery)
 141
 142   const user = res.locals.oauth?.token.User
 143   if (!user) return fail()
 144
 145   const videoWithRights = (video as MVideoWithRights).VideoChannel?.Account?.userId
 146     ? video as MVideoWithRights
 147     : await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id)
 148
 149   const privacy = videoWithRights.privacy
 150
 151   if (privacy === VideoPrivacy.INTERNAL) {
 152     // We know we have a user
 153     return true
 154   }
 155
 156   const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id
 157
 158   if (videoWithRights.isBlacklisted()) {
 159     if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true
 160
 161     return fail()
 162   }
 163
 164   if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) {
 165     if (isOwnedByUser || user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true
 166
 167     return fail()
 168   }
 169
 170   // Should not happen
 171   return fail()
 172 }
 173
 174 // ---------------------------------------------------------------------------
 175
 176 function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
 177   // Retrieve the user who did the request
 178   if (onlyOwned && video.isOwned() === false) {
 179     res.fail({
 180       status: HttpStatusCode.FORBIDDEN_403,
 181       message: 'Cannot manage a video of another server.'
 182     })
 183     return false
 184   }
 185
 186   // Check if the user can delete the video
 187   // The user can delete it if he has the right
 188   // Or if s/he is the video's account
 189   const account = video.VideoChannel.Account
 190   if (user.hasRight(right) === false && account.userId !== user.id) {
 191     res.fail({
 192       status: HttpStatusCode.FORBIDDEN_403,
 193       message: 'Cannot manage a video of another user.'
 194     })
 195     return false
 196   }
 197
 198   return true
 199 }
 200
 201 // ---------------------------------------------------------------------------
 202
 203 async function checkUserQuota (user: MUserId, videoFileSize: number, res: Response) {
 204   if (await isAbleToUploadVideo(user.id, videoFileSize) === false) {
 205     res.fail({
 206       status: HttpStatusCode.PAYLOAD_TOO_LARGE_413,
 207       message: 'The user video quota is exceeded with this video.',
 208       type: ServerErrorCode.QUOTA_REACHED
 209     })
 210     return false
 211   }
 212
 213   return true
 214 }
 215
 216 // ---------------------------------------------------------------------------
 217
 218 export {
 219   doesVideoChannelOfAccountExist,
 220   doesVideoExist,
 221   doesVideoFileOfVideoExist,
 222
 223   checkUserCanManageVideo,
 224   checkCanSeeVideo,
 225   checkUserQuota
 226 }