server/middlewares/validators/videos/video-comments.ts

   1 import express from 'express'
   2 import { body, param, query } from 'express-validator'
   3 import { MUserAccountUrl } from '@server/types/models'
   4 import { HttpStatusCode, UserRight } from '@shared/models'
   5 import { exists, isBooleanValid, isIdValid, toBooleanOrNull } from '../../../helpers/custom-validators/misc'
   6 import { isValidVideoCommentText } from '../../../helpers/custom-validators/video-comments'
   7 import { logger } from '../../../helpers/logger'
   8 import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
   9 import { Hooks } from '../../../lib/plugins/hooks'
  10 import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
  11 import {
  12   areValidationErrors,
  13   checkCanSeeVideo,
  14   doesVideoCommentExist,
  15   doesVideoCommentThreadExist,
  16   doesVideoExist,
  17   isValidVideoIdParam
  18 } from '../shared'
  19
  20 const listVideoCommentsValidator = [
  21   query('isLocal')
  22     .optional()
  23     .customSanitizer(toBooleanOrNull)
  24     .custom(isBooleanValid)
  25     .withMessage('Should have a valid isLocal boolean'),
  26
  27   query('onLocalVideo')
  28     .optional()
  29     .customSanitizer(toBooleanOrNull)
  30     .custom(isBooleanValid)
  31     .withMessage('Should have a valid onLocalVideo boolean'),
  32
  33   query('search')
  34     .optional()
  35     .custom(exists),
  36
  37   query('searchAccount')
  38     .optional()
  39     .custom(exists),
  40
  41   query('searchVideo')
  42     .optional()
  43     .custom(exists),
  44
  45   (req: express.Request, res: express.Response, next: express.NextFunction) => {
  46     logger.debug('Checking listVideoCommentsValidator parameters.', { parameters: req.query })
  47
  48     if (areValidationErrors(req, res)) return
  49
  50     return next()
  51   }
  52 ]
  53
  54 const listVideoCommentThreadsValidator = [
  55   isValidVideoIdParam('videoId'),
  56
  57   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  58     logger.debug('Checking listVideoCommentThreads parameters.', { parameters: req.params })
  59
  60     if (areValidationErrors(req, res)) return
  61     if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
  62
  63     if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.onlyVideo })) return
  64
  65     return next()
  66   }
  67 ]
  68
  69 const listVideoThreadCommentsValidator = [
  70   isValidVideoIdParam('videoId'),
  71
  72   param('threadId')
  73     .custom(isIdValid),
  74
  75   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  76     logger.debug('Checking listVideoThreadComments parameters.', { parameters: req.params })
  77
  78     if (areValidationErrors(req, res)) return
  79     if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
  80     if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return
  81
  82     if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.onlyVideo })) return
  83
  84     return next()
  85   }
  86 ]
  87
  88 const addVideoCommentThreadValidator = [
  89   isValidVideoIdParam('videoId'),
  90
  91   body('text')
  92     .custom(isValidVideoCommentText),
  93
  94   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  95     logger.debug('Checking addVideoCommentThread parameters.', { parameters: req.params, body: req.body })
  96
  97     if (areValidationErrors(req, res)) return
  98     if (!await doesVideoExist(req.params.videoId, res)) return
  99
 100     if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.videoAll })) return
 101
 102     if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
 103     if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
 104
 105     return next()
 106   }
 107 ]
 108
 109 const addVideoCommentReplyValidator = [
 110   isValidVideoIdParam('videoId'),
 111
 112   param('commentId').custom(isIdValid),
 113
 114   body('text').custom(isValidVideoCommentText),
 115
 116   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 117     logger.debug('Checking addVideoCommentReply parameters.', { parameters: req.params, body: req.body })
 118
 119     if (areValidationErrors(req, res)) return
 120     if (!await doesVideoExist(req.params.videoId, res)) return
 121
 122     if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.videoAll })) return
 123
 124     if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
 125     if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
 126     if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
 127
 128     return next()
 129   }
 130 ]
 131
 132 const videoCommentGetValidator = [
 133   isValidVideoIdParam('videoId'),
 134
 135   param('commentId')
 136     .custom(isIdValid),
 137
 138   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 139     logger.debug('Checking videoCommentGetValidator parameters.', { parameters: req.params })
 140
 141     if (areValidationErrors(req, res)) return
 142     if (!await doesVideoExist(req.params.videoId, res, 'id')) return
 143     if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoId, res)) return
 144
 145     return next()
 146   }
 147 ]
 148
 149 const removeVideoCommentValidator = [
 150   isValidVideoIdParam('videoId'),
 151
 152   param('commentId')
 153     .custom(isIdValid),
 154
 155   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 156     logger.debug('Checking removeVideoCommentValidator parameters.', { parameters: req.params })
 157
 158     if (areValidationErrors(req, res)) return
 159     if (!await doesVideoExist(req.params.videoId, res)) return
 160     if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
 161
 162     // Check if the user who did the request is able to delete the video
 163     if (!checkUserCanDeleteVideoComment(res.locals.oauth.token.User, res.locals.videoCommentFull, res)) return
 164
 165     return next()
 166   }
 167 ]
 168
 169 // ---------------------------------------------------------------------------
 170
 171 export {
 172   listVideoCommentThreadsValidator,
 173   listVideoThreadCommentsValidator,
 174   addVideoCommentThreadValidator,
 175   listVideoCommentsValidator,
 176   addVideoCommentReplyValidator,
 177   videoCommentGetValidator,
 178   removeVideoCommentValidator
 179 }
 180
 181 // ---------------------------------------------------------------------------
 182
 183 function isVideoCommentsEnabled (video: MVideo, res: express.Response) {
 184   if (video.commentsEnabled !== true) {
 185     res.fail({
 186       status: HttpStatusCode.CONFLICT_409,
 187       message: 'Video comments are disabled for this video.'
 188     })
 189     return false
 190   }
 191
 192   return true
 193 }
 194
 195 function checkUserCanDeleteVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) {
 196   if (videoComment.isDeleted()) {
 197     res.fail({
 198       status: HttpStatusCode.CONFLICT_409,
 199       message: 'This comment is already deleted'
 200     })
 201     return false
 202   }
 203
 204   const userAccount = user.Account
 205
 206   if (
 207     user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && // Not a moderator
 208     videoComment.accountId !== userAccount.id && // Not the comment owner
 209     videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner
 210   ) {
 211     res.fail({
 212       status: HttpStatusCode.FORBIDDEN_403,
 213       message: 'Cannot remove video comment of another user'
 214     })
 215     return false
 216   }
 217
 218   return true
 219 }
 220
 221 async function isVideoCommentAccepted (req: express.Request, res: express.Response, video: MVideoFullLight, isReply: boolean) {
 222   const acceptParameters = {
 223     video,
 224     commentBody: req.body,
 225     user: res.locals.oauth.token.User
 226   }
 227
 228   let acceptedResult: AcceptResult
 229
 230   if (isReply) {
 231     const acceptReplyParameters = Object.assign(acceptParameters, { parentComment: res.locals.videoCommentFull })
 232
 233     acceptedResult = await Hooks.wrapFun(
 234       isLocalVideoCommentReplyAccepted,
 235       acceptReplyParameters,
 236       'filter:api.video-comment-reply.create.accept.result'
 237     )
 238   } else {
 239     acceptedResult = await Hooks.wrapFun(
 240       isLocalVideoThreadAccepted,
 241       acceptParameters,
 242       'filter:api.video-thread.create.accept.result'
 243     )
 244   }
 245
 246   if (!acceptedResult || acceptedResult.accepted !== true) {
 247     logger.info('Refused local comment.', { acceptedResult, acceptParameters })
 248
 249     res.fail({
 250       status: HttpStatusCode.FORBIDDEN_403,
 251       message: acceptedResult?.errorMessage || 'Refused local comment'
 252     })
 253     return false
 254   }
 255
 256   return true
 257 }