]> git.immae.eu Git - github/Chocobozzz/PeerTube.git/blob - server/middlewares/validators/videos/video-comments.ts
projects / github / Chocobozzz / PeerTube.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Check video privacy when creating comments/rates
[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / videos / video-comments.ts
1 import express from 'express'
2 import { body, param, query } from 'express-validator'
3 import { MUserAccountUrl } from '@server/types/models'
4 import { HttpStatusCode, UserRight } from '@shared/models'
5 import { exists, isBooleanValid, isIdValid, toBooleanOrNull } from '../../../helpers/custom-validators/misc'
6 import { isValidVideoCommentText } from '../../../helpers/custom-validators/video-comments'
7 import { logger } from '../../../helpers/logger'
8 import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
9 import { Hooks } from '../../../lib/plugins/hooks'
10 import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video'
11 import {
12 areValidationErrors,
13 checkCanSeeVideoIfPrivate,
14 doesVideoCommentExist,
15 doesVideoCommentThreadExist,
16 doesVideoExist,
17 isValidVideoIdParam
18 } from '../shared'
19
20 const listVideoCommentsValidator = [
21 query('isLocal')
22 .optional()
23 .customSanitizer(toBooleanOrNull)
24 .custom(isBooleanValid)
25 .withMessage('Should have a valid is local boolean'),
26
27 query('search')
28 .optional()
29 .custom(exists).withMessage('Should have a valid search'),
30
31 query('searchAccount')
32 .optional()
33 .custom(exists).withMessage('Should have a valid account search'),
34
35 query('searchVideo')
36 .optional()
37 .custom(exists).withMessage('Should have a valid video search'),
38
39 (req: express.Request, res: express.Response, next: express.NextFunction) => {
40 logger.debug('Checking listVideoCommentsValidator parameters.', { parameters: req.query })
41
42 if (areValidationErrors(req, res)) return
43
44 return next()
45 }
46 ]
47
48 const listVideoCommentThreadsValidator = [
49 isValidVideoIdParam('videoId'),
50
51 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
52 logger.debug('Checking listVideoCommentThreads parameters.', { parameters: req.params })
53
54 if (areValidationErrors(req, res)) return
55 if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
56
57 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
58 return res.fail({
59 status: HttpStatusCode.FORBIDDEN_403,
60 message: 'Cannot list comments of private/internal/blocklisted video'
61 })
62 }
63
64 return next()
65 }
66 ]
67
68 const listVideoThreadCommentsValidator = [
69 isValidVideoIdParam('videoId'),
70
71 param('threadId')
72 .custom(isIdValid).not().isEmpty().withMessage('Should have a valid threadId'),
73
74 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
75 logger.debug('Checking listVideoThreadComments parameters.', { parameters: req.params })
76
77 if (areValidationErrors(req, res)) return
78 if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
79 if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return
80
81 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.onlyVideo)) {
82 return res.fail({
83 status: HttpStatusCode.FORBIDDEN_403,
84 message: 'Cannot list threads of private/internal/blocklisted video'
85 })
86 }
87
88 return next()
89 }
90 ]
91
92 const addVideoCommentThreadValidator = [
93 isValidVideoIdParam('videoId'),
94
95 body('text')
96 .custom(isValidVideoCommentText).not().isEmpty().withMessage('Should have a valid comment text'),
97
98 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
99 logger.debug('Checking addVideoCommentThread parameters.', { parameters: req.params, body: req.body })
100
101 if (areValidationErrors(req, res)) return
102 if (!await doesVideoExist(req.params.videoId, res)) return
103
104 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
105 return res.fail({
106 status: HttpStatusCode.FORBIDDEN_403,
107 message: 'Cannot access to this ressource'
108 })
109 }
110
111 if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
112 if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return
113
114 return next()
115 }
116 ]
117
118 const addVideoCommentReplyValidator = [
119 isValidVideoIdParam('videoId'),
120
121 param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'),
122
123 body('text').custom(isValidVideoCommentText).not().isEmpty().withMessage('Should have a valid comment text'),
124
125 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
126 logger.debug('Checking addVideoCommentReply parameters.', { parameters: req.params, body: req.body })
127
128 if (areValidationErrors(req, res)) return
129 if (!await doesVideoExist(req.params.videoId, res)) return
130
131 if (!await checkCanSeeVideoIfPrivate(req, res, res.locals.videoAll)) {
132 return res.fail({
133 status: HttpStatusCode.FORBIDDEN_403,
134 message: 'Cannot access to this ressource'
135 })
136 }
137
138 if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return
139 if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
140 if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return
141
142 return next()
143 }
144 ]
145
146 const videoCommentGetValidator = [
147 isValidVideoIdParam('videoId'),
148
149 param('commentId')
150 .custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'),
151
152 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
153 logger.debug('Checking videoCommentGetValidator parameters.', { parameters: req.params })
154
155 if (areValidationErrors(req, res)) return
156 if (!await doesVideoExist(req.params.videoId, res, 'id')) return
157 if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoId, res)) return
158
159 return next()
160 }
161 ]
162
163 const removeVideoCommentValidator = [
164 isValidVideoIdParam('videoId'),
165
166 param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'),
167
168 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
169 logger.debug('Checking removeVideoCommentValidator parameters.', { parameters: req.params })
170
171 if (areValidationErrors(req, res)) return
172 if (!await doesVideoExist(req.params.videoId, res)) return
173 if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return
174
175 // Check if the user who did the request is able to delete the video
176 if (!checkUserCanDeleteVideoComment(res.locals.oauth.token.User, res.locals.videoCommentFull, res)) return
177
178 return next()
179 }
180 ]
181
182 // ---------------------------------------------------------------------------
183
184 export {
185 listVideoCommentThreadsValidator,
186 listVideoThreadCommentsValidator,
187 addVideoCommentThreadValidator,
188 listVideoCommentsValidator,
189 addVideoCommentReplyValidator,
190 videoCommentGetValidator,
191 removeVideoCommentValidator
192 }
193
194 // ---------------------------------------------------------------------------
195
196 function isVideoCommentsEnabled (video: MVideo, res: express.Response) {
197 if (video.commentsEnabled !== true) {
198 res.fail({
199 status: HttpStatusCode.CONFLICT_409,
200 message: 'Video comments are disabled for this video.'
201 })
202 return false
203 }
204
205 return true
206 }
207
208 function checkUserCanDeleteVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) {
209 if (videoComment.isDeleted()) {
210 res.fail({
211 status: HttpStatusCode.CONFLICT_409,
212 message: 'This comment is already deleted'
213 })
214 return false
215 }
216
217 const userAccount = user.Account
218
219 if (
220 user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && // Not a moderator
221 videoComment.accountId !== userAccount.id && // Not the comment owner
222 videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner
223 ) {
224 res.fail({
225 status: HttpStatusCode.FORBIDDEN_403,
226 message: 'Cannot remove video comment of another user'
227 })
228 return false
229 }
230
231 return true
232 }
233
234 async function isVideoCommentAccepted (req: express.Request, res: express.Response, video: MVideoFullLight, isReply: boolean) {
235 const acceptParameters = {
236 video,
237 commentBody: req.body,
238 user: res.locals.oauth.token.User
239 }
240
241 let acceptedResult: AcceptResult
242
243 if (isReply) {
244 const acceptReplyParameters = Object.assign(acceptParameters, { parentComment: res.locals.videoCommentFull })
245
246 acceptedResult = await Hooks.wrapFun(
247 isLocalVideoCommentReplyAccepted,
248 acceptReplyParameters,
249 'filter:api.video-comment-reply.create.accept.result'
250 )
251 } else {
252 acceptedResult = await Hooks.wrapFun(
253 isLocalVideoThreadAccepted,
254 acceptParameters,
255 'filter:api.video-thread.create.accept.result'
256 )
257 }
258
259 if (!acceptedResult || acceptedResult.accepted !== true) {
260 logger.info('Refused local comment.', { acceptedResult, acceptParameters })
261
262 res.fail({
263 status: HttpStatusCode.FORBIDDEN_403,
264 message: acceptedResult?.errorMessage || 'Refused local comment'
265 })
266 return false
267 }
268
269 return true
270 }
ActivityPub-federated video streaming platform using P2P directly in your web browser