server/middlewares/validators/videos/video-comments.ts

   1 import express from 'express'
   2 import { body, param, query } from 'express-validator'
   3 import { MUserAccountUrl } from '@server/types/models'
   4 import { HttpStatusCode, UserRight } from '@shared/models'
   5 import { exists, isBooleanValid, isIdValid, toBooleanOrNull } from '../../../helpers/custom-validators/misc'
   6 import { isValidVideoCommentText } from '../../../helpers/custom-validators/video-comments'
   7 import { logger } from '../../../helpers/logger'
   8 import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
   9 import { Hooks } from '../../../lib/plugins/hooks'
  10 import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
  11 import {
  12   areValidationErrors,
  13   checkCanSeeVideo,
  14   doesVideoCommentExist,
  15   doesVideoCommentThreadExist,
  16   doesVideoExist,
  17   isValidVideoIdParam
  18 } from '../shared'
  19
  20 const listVideoCommentsValidator = [
  21   query('isLocal')
  22     .optional()
  23     .customSanitizer(toBooleanOrNull)
  24     .custom(isBooleanValid)
  25     .withMessage('Should have a valid isLocal boolean'),
  26
  27   query('onLocalVideo')
  28     .optional()
  29     .customSanitizer(toBooleanOrNull)
  30     .custom(isBooleanValid)
  31     .withMessage('Should have a valid onLocalVideo boolean'),
  32
  33   query('search')
  34     .optional()
  35     .custom(exists),
  36
  37   query('searchAccount')
  38     .optional()
  39     .custom(exists),
  40
  41   query('searchVideo')
  42     .optional()
  43     .custom(exists),
  44
  45   (req: express.Request, res: express.Response, next: express.NextFunction) => {
  46     if (areValidationErrors(req, res)) return
  47
  48     return next()
  49   }
  50 ]
  51
  52 const listVideoCommentThreadsValidator = [
  53   isValidVideoIdParam('videoId'),
  54
  55   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  56     if (areValidationErrors(req, res)) return
  57     if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
  58
  59     if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.onlyVideo })) return
  60
  61     return next()
  62   }
  63 ]
  64
  65 const listVideoThreadCommentsValidator = [
  66   isValidVideoIdParam('videoId'),
  67
  68   param('threadId')
  69     .custom(isIdValid),
  70
  71   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  72     if (areValidationErrors(req, res)) return
  73     if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
  74     if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return
  75
  76     if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.onlyVideo })) return
  77
  78     return next()
  79   }
  80 ]
  81
  82 const addVideoCommentThreadValidator = [
  83   isValidVideoIdParam('videoId'),
  84
  85   body('text')
  86     .custom(isValidVideoCommentText),
  87
  88   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  89     if (areValidationErrors(req, res)) return
  90     if (!await doesVideoExist(req.params.videoId, res)) return
  91
  92     if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.videoAll })) return
  93
  94     if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
  95     if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
  96
  97     return next()
  98   }
  99 ]
 100
 101 const addVideoCommentReplyValidator = [
 102   isValidVideoIdParam('videoId'),
 103
 104   param('commentId').custom(isIdValid),
 105
 106   body('text').custom(isValidVideoCommentText),
 107
 108   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 109     if (areValidationErrors(req, res)) return
 110     if (!await doesVideoExist(req.params.videoId, res)) return
 111
 112     if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.videoAll })) return
 113
 114     if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
 115     if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
 116     if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
 117
 118     return next()
 119   }
 120 ]
 121
 122 const videoCommentGetValidator = [
 123   isValidVideoIdParam('videoId'),
 124
 125   param('commentId')
 126     .custom(isIdValid),
 127
 128   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 129     if (areValidationErrors(req, res)) return
 130     if (!await doesVideoExist(req.params.videoId, res, 'id')) return
 131     if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoId, res)) return
 132
 133     return next()
 134   }
 135 ]
 136
 137 const removeVideoCommentValidator = [
 138   isValidVideoIdParam('videoId'),
 139
 140   param('commentId')
 141     .custom(isIdValid),
 142
 143   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 144     if (areValidationErrors(req, res)) return
 145     if (!await doesVideoExist(req.params.videoId, res)) return
 146     if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
 147
 148     // Check if the user who did the request is able to delete the video
 149     if (!checkUserCanDeleteVideoComment(res.locals.oauth.token.User, res.locals.videoCommentFull, res)) return
 150
 151     return next()
 152   }
 153 ]
 154
 155 // ---------------------------------------------------------------------------
 156
 157 export {
 158   listVideoCommentThreadsValidator,
 159   listVideoThreadCommentsValidator,
 160   addVideoCommentThreadValidator,
 161   listVideoCommentsValidator,
 162   addVideoCommentReplyValidator,
 163   videoCommentGetValidator,
 164   removeVideoCommentValidator
 165 }
 166
 167 // ---------------------------------------------------------------------------
 168
 169 function isVideoCommentsEnabled (video: MVideo, res: express.Response) {
 170   if (video.commentsEnabled !== true) {
 171     res.fail({
 172       status: HttpStatusCode.CONFLICT_409,
 173       message: 'Video comments are disabled for this video.'
 174     })
 175     return false
 176   }
 177
 178   return true
 179 }
 180
 181 function checkUserCanDeleteVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) {
 182   if (videoComment.isDeleted()) {
 183     res.fail({
 184       status: HttpStatusCode.CONFLICT_409,
 185       message: 'This comment is already deleted'
 186     })
 187     return false
 188   }
 189
 190   const userAccount = user.Account
 191
 192   if (
 193     user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && // Not a moderator
 194     videoComment.accountId !== userAccount.id && // Not the comment owner
 195     videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner
 196   ) {
 197     res.fail({
 198       status: HttpStatusCode.FORBIDDEN_403,
 199       message: 'Cannot remove video comment of another user'
 200     })
 201     return false
 202   }
 203
 204   return true
 205 }
 206
 207 async function isVideoCommentAccepted (req: express.Request, res: express.Response, video: MVideoFullLight, isReply: boolean) {
 208   const acceptParameters = {
 209     video,
 210     commentBody: req.body,
 211     user: res.locals.oauth.token.User
 212   }
 213
 214   let acceptedResult: AcceptResult
 215
 216   if (isReply) {
 217     const acceptReplyParameters = Object.assign(acceptParameters, { parentComment: res.locals.videoCommentFull })
 218
 219     acceptedResult = await Hooks.wrapFun(
 220       isLocalVideoCommentReplyAccepted,
 221       acceptReplyParameters,
 222       'filter:api.video-comment-reply.create.accept.result'
 223     )
 224   } else {
 225     acceptedResult = await Hooks.wrapFun(
 226       isLocalVideoThreadAccepted,
 227       acceptParameters,
 228       'filter:api.video-thread.create.accept.result'
 229     )
 230   }
 231
 232   if (!acceptedResult || acceptedResult.accepted !== true) {
 233     logger.info('Refused local comment.', { acceptedResult, acceptParameters })
 234
 235     res.fail({
 236       status: HttpStatusCode.FORBIDDEN_403,
 237       message: acceptedResult?.errorMessage || 'Refused local comment'
 238     })
 239     return false
 240   }
 241
 242   return true
 243 }