server/middlewares/validators/videos/video-comments.ts

   1 import express from 'express'
   2 import { body, param, query } from 'express-validator'
   3 import { MUserAccountUrl } from '@server/types/models'
   4 import { HttpStatusCode, UserRight } from '@shared/models'
   5 import { exists, isBooleanValid, isIdValid, toBooleanOrNull } from '../../../helpers/custom-validators/misc'
   6 import { isValidVideoCommentText } from '../../../helpers/custom-validators/video-comments'
   7 import { logger } from '../../../helpers/logger'
   8 import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
   9 import { Hooks } from '../../../lib/plugins/hooks'
  10 import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
  11 import {
  12   areValidationErrors,
  13   checkCanSeeVideo,
  14   doesVideoCommentExist,
  15   doesVideoCommentThreadExist,
  16   doesVideoExist,
  17   isValidVideoIdParam
  18 } from '../shared'
  19
  20 const listVideoCommentsValidator = [
  21   query('isLocal')
  22   .optional()
  23   .customSanitizer(toBooleanOrNull)
  24   .custom(isBooleanValid)
  25   .withMessage('Should have a valid is local boolean'),
  26
  27   query('search')
  28     .optional()
  29     .custom(exists).withMessage('Should have a valid search'),
  30
  31   query('searchAccount')
  32     .optional()
  33     .custom(exists).withMessage('Should have a valid account search'),
  34
  35   query('searchVideo')
  36     .optional()
  37     .custom(exists).withMessage('Should have a valid video search'),
  38
  39   (req: express.Request, res: express.Response, next: express.NextFunction) => {
  40     logger.debug('Checking listVideoCommentsValidator parameters.', { parameters: req.query })
  41
  42     if (areValidationErrors(req, res)) return
  43
  44     return next()
  45   }
  46 ]
  47
  48 const listVideoCommentThreadsValidator = [
  49   isValidVideoIdParam('videoId'),
  50
  51   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  52     logger.debug('Checking listVideoCommentThreads parameters.', { parameters: req.params })
  53
  54     if (areValidationErrors(req, res)) return
  55     if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
  56
  57     if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.onlyVideo })) return
  58
  59     return next()
  60   }
  61 ]
  62
  63 const listVideoThreadCommentsValidator = [
  64   isValidVideoIdParam('videoId'),
  65
  66   param('threadId')
  67     .custom(isIdValid).not().isEmpty().withMessage('Should have a valid threadId'),
  68
  69   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  70     logger.debug('Checking listVideoThreadComments parameters.', { parameters: req.params })
  71
  72     if (areValidationErrors(req, res)) return
  73     if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
  74     if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return
  75
  76     if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.onlyVideo })) return
  77
  78     return next()
  79   }
  80 ]
  81
  82 const addVideoCommentThreadValidator = [
  83   isValidVideoIdParam('videoId'),
  84
  85   body('text')
  86     .custom(isValidVideoCommentText).not().isEmpty().withMessage('Should have a valid comment text'),
  87
  88   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  89     logger.debug('Checking addVideoCommentThread parameters.', { parameters: req.params, body: req.body })
  90
  91     if (areValidationErrors(req, res)) return
  92     if (!await doesVideoExist(req.params.videoId, res)) return
  93
  94     if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.videoAll })) return
  95
  96     if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
  97     if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
  98
  99     return next()
 100   }
 101 ]
 102
 103 const addVideoCommentReplyValidator = [
 104   isValidVideoIdParam('videoId'),
 105
 106   param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'),
 107
 108   body('text').custom(isValidVideoCommentText).not().isEmpty().withMessage('Should have a valid comment text'),
 109
 110   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 111     logger.debug('Checking addVideoCommentReply parameters.', { parameters: req.params, body: req.body })
 112
 113     if (areValidationErrors(req, res)) return
 114     if (!await doesVideoExist(req.params.videoId, res)) return
 115
 116     if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.videoAll })) return
 117
 118     if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
 119     if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
 120     if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
 121
 122     return next()
 123   }
 124 ]
 125
 126 const videoCommentGetValidator = [
 127   isValidVideoIdParam('videoId'),
 128
 129   param('commentId')
 130     .custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'),
 131
 132   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 133     logger.debug('Checking videoCommentGetValidator parameters.', { parameters: req.params })
 134
 135     if (areValidationErrors(req, res)) return
 136     if (!await doesVideoExist(req.params.videoId, res, 'id')) return
 137     if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoId, res)) return
 138
 139     return next()
 140   }
 141 ]
 142
 143 const removeVideoCommentValidator = [
 144   isValidVideoIdParam('videoId'),
 145
 146   param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'),
 147
 148   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 149     logger.debug('Checking removeVideoCommentValidator parameters.', { parameters: req.params })
 150
 151     if (areValidationErrors(req, res)) return
 152     if (!await doesVideoExist(req.params.videoId, res)) return
 153     if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
 154
 155     // Check if the user who did the request is able to delete the video
 156     if (!checkUserCanDeleteVideoComment(res.locals.oauth.token.User, res.locals.videoCommentFull, res)) return
 157
 158     return next()
 159   }
 160 ]
 161
 162 // ---------------------------------------------------------------------------
 163
 164 export {
 165   listVideoCommentThreadsValidator,
 166   listVideoThreadCommentsValidator,
 167   addVideoCommentThreadValidator,
 168   listVideoCommentsValidator,
 169   addVideoCommentReplyValidator,
 170   videoCommentGetValidator,
 171   removeVideoCommentValidator
 172 }
 173
 174 // ---------------------------------------------------------------------------
 175
 176 function isVideoCommentsEnabled (video: MVideo, res: express.Response) {
 177   if (video.commentsEnabled !== true) {
 178     res.fail({
 179       status: HttpStatusCode.CONFLICT_409,
 180       message: 'Video comments are disabled for this video.'
 181     })
 182     return false
 183   }
 184
 185   return true
 186 }
 187
 188 function checkUserCanDeleteVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) {
 189   if (videoComment.isDeleted()) {
 190     res.fail({
 191       status: HttpStatusCode.CONFLICT_409,
 192       message: 'This comment is already deleted'
 193     })
 194     return false
 195   }
 196
 197   const userAccount = user.Account
 198
 199   if (
 200     user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && // Not a moderator
 201     videoComment.accountId !== userAccount.id && // Not the comment owner
 202     videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner
 203   ) {
 204     res.fail({
 205       status: HttpStatusCode.FORBIDDEN_403,
 206       message: 'Cannot remove video comment of another user'
 207     })
 208     return false
 209   }
 210
 211   return true
 212 }
 213
 214 async function isVideoCommentAccepted (req: express.Request, res: express.Response, video: MVideoFullLight, isReply: boolean) {
 215   const acceptParameters = {
 216     video,
 217     commentBody: req.body,
 218     user: res.locals.oauth.token.User
 219   }
 220
 221   let acceptedResult: AcceptResult
 222
 223   if (isReply) {
 224     const acceptReplyParameters = Object.assign(acceptParameters, { parentComment: res.locals.videoCommentFull })
 225
 226     acceptedResult = await Hooks.wrapFun(
 227       isLocalVideoCommentReplyAccepted,
 228       acceptReplyParameters,
 229       'filter:api.video-comment-reply.create.accept.result'
 230     )
 231   } else {
 232     acceptedResult = await Hooks.wrapFun(
 233       isLocalVideoThreadAccepted,
 234       acceptParameters,
 235       'filter:api.video-thread.create.accept.result'
 236     )
 237   }
 238
 239   if (!acceptedResult || acceptedResult.accepted !== true) {
 240     logger.info('Refused local comment.', { acceptedResult, acceptParameters })
 241
 242     res.fail({
 243       status: HttpStatusCode.FORBIDDEN_403,
 244       message: acceptedResult?.errorMessage || 'Refused local comment'
 245     })
 246     return false
 247   }
 248
 249   return true
 250 }