server/middlewares/validators/shared/videos.ts

   1 import { Request, Response } from 'express'
   2 import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
   3 import { isAbleToUploadVideo } from '@server/lib/user'
   4 import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'
   5 import { VideoModel } from '@server/models/video/video'
   6 import { VideoChannelModel } from '@server/models/video/video-channel'
   7 import { VideoFileModel } from '@server/models/video/video-file'
   8 import {
   9   MUser,
  10   MUserAccountId,
  11   MUserId,
  12   MVideo,
  13   MVideoAccountLight,
  14   MVideoFormattableDetails,
  15   MVideoFullLight,
  16   MVideoId,
  17   MVideoImmutable,
  18   MVideoThumbnail,
  19   MVideoWithRights
  20 } from '@server/types/models'
  21 import { HttpStatusCode, ServerErrorCode, UserRight } from '@shared/models'
  22
  23 async function doesVideoExist (id: number | string, res: Response, fetchType: VideoLoadType = 'all') {
  24   const userId = res.locals.oauth ? res.locals.oauth.token.User.id : undefined
  25
  26   const video = await loadVideo(id, fetchType, userId)
  27
  28   if (video === null) {
  29     res.fail({
  30       status: HttpStatusCode.NOT_FOUND_404,
  31       message: 'Video not found'
  32     })
  33     return false
  34   }
  35
  36   switch (fetchType) {
  37     case 'for-api':
  38       res.locals.videoAPI = video as MVideoFormattableDetails
  39       break
  40
  41     case 'all':
  42       res.locals.videoAll = video as MVideoFullLight
  43       break
  44
  45     case 'only-immutable-attributes':
  46       res.locals.onlyImmutableVideo = video as MVideoImmutable
  47       break
  48
  49     case 'id':
  50       res.locals.videoId = video as MVideoId
  51       break
  52
  53     case 'only-video':
  54       res.locals.onlyVideo = video as MVideoThumbnail
  55       break
  56   }
  57
  58   return true
  59 }
  60
  61 async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number | string, res: Response) {
  62   if (!await VideoFileModel.doesVideoExistForVideoFile(id, videoIdOrUUID)) {
  63     res.fail({
  64       status: HttpStatusCode.NOT_FOUND_404,
  65       message: 'VideoFile matching Video not found'
  66     })
  67     return false
  68   }
  69
  70   return true
  71 }
  72
  73 async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAccountId, res: Response) {
  74   const videoChannel = await VideoChannelModel.loadAndPopulateAccount(channelId)
  75
  76   if (videoChannel === null) {
  77     res.fail({ message: 'Unknown video "video channel" for this instance.' })
  78     return false
  79   }
  80
  81   // Don't check account id if the user can update any video
  82   if (user.hasRight(UserRight.UPDATE_ANY_VIDEO) === true) {
  83     res.locals.videoChannel = videoChannel
  84     return true
  85   }
  86
  87   if (videoChannel.Account.id !== user.Account.id) {
  88     res.fail({
  89       message: 'Unknown video "video channel" for this account.'
  90     })
  91     return false
  92   }
  93
  94   res.locals.videoChannel = videoChannel
  95   return true
  96 }
  97
  98 async function checkCanSeeVideoIfPrivate (req: Request, res: Response, video: MVideo, authenticateInQuery = false) {
  99   if (!video.requiresAuth()) return true
 100
 101   const videoWithRights = await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id)
 102
 103   return checkCanSeePrivateVideo(req, res, videoWithRights, authenticateInQuery)
 104 }
 105
 106 async function checkCanSeePrivateVideo (req: Request, res: Response, video: MVideoWithRights, authenticateInQuery = false) {
 107   await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
 108
 109   const user = res.locals.oauth ? res.locals.oauth.token.User : null
 110
 111   // Only the owner or a user that have blocklist rights can see the video
 112   if (!user || !user.canGetVideo(video)) {
 113     res.fail({
 114       status: HttpStatusCode.FORBIDDEN_403,
 115       message: 'Cannot fetch information of private/internal/blocklisted video'
 116     })
 117
 118     return false
 119   }
 120
 121   return true
 122 }
 123
 124 function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
 125   // Retrieve the user who did the request
 126   if (onlyOwned && video.isOwned() === false) {
 127     res.fail({
 128       status: HttpStatusCode.FORBIDDEN_403,
 129       message: 'Cannot manage a video of another server.'
 130     })
 131     return false
 132   }
 133
 134   // Check if the user can delete the video
 135   // The user can delete it if he has the right
 136   // Or if s/he is the video's account
 137   const account = video.VideoChannel.Account
 138   if (user.hasRight(right) === false && account.userId !== user.id) {
 139     res.fail({
 140       status: HttpStatusCode.FORBIDDEN_403,
 141       message: 'Cannot manage a video of another user.'
 142     })
 143     return false
 144   }
 145
 146   return true
 147 }
 148
 149 async function checkUserQuota (user: MUserId, videoFileSize: number, res: Response) {
 150   if (await isAbleToUploadVideo(user.id, videoFileSize) === false) {
 151     res.fail({
 152       status: HttpStatusCode.PAYLOAD_TOO_LARGE_413,
 153       message: 'The user video quota is exceeded with this video.',
 154       type: ServerErrorCode.QUOTA_REACHED
 155     })
 156     return false
 157   }
 158
 159   return true
 160 }
 161
 162 // ---------------------------------------------------------------------------
 163
 164 export {
 165   doesVideoChannelOfAccountExist,
 166   doesVideoExist,
 167   doesVideoFileOfVideoExist,
 168
 169   checkUserCanManageVideo,
 170   checkCanSeeVideoIfPrivate,
 171   checkCanSeePrivateVideo,
 172   checkUserQuota
 173 }