server/middlewares/validators/videos/videos.ts

   1 import * as express from 'express'
   2 import { body, param, query, ValidationChain } from 'express-validator'
   3 import { UserRight, VideoChangeOwnershipStatus, VideoPrivacy } from '../../../../shared'
   4 import {
   5   isBooleanValid,
   6   isDateValid,
   7   isIdOrUUIDValid,
   8   isIdValid,
   9   isUUIDValid,
  10   toArray,
  11   toBooleanOrNull,
  12   toIntOrNull,
  13   toValueOrNull
  14 } from '../../../helpers/custom-validators/misc'
  15 import {
  16   isScheduleVideoUpdatePrivacyValid,
  17   isVideoCategoryValid,
  18   isVideoDescriptionValid,
  19   isVideoFile,
  20   isVideoFilterValid,
  21   isVideoImage,
  22   isVideoLanguageValid,
  23   isVideoLicenceValid,
  24   isVideoNameValid,
  25   isVideoOriginallyPublishedAtValid,
  26   isVideoPrivacyValid,
  27   isVideoSupportValid,
  28   isVideoTagsValid
  29 } from '../../../helpers/custom-validators/videos'
  30 import { getDurationFromVideoFile } from '../../../helpers/ffmpeg-utils'
  31 import { logger } from '../../../helpers/logger'
  32 import { CONSTRAINTS_FIELDS } from '../../../initializers/constants'
  33 import { authenticatePromiseIfNeeded } from '../../oauth'
  34 import { areValidationErrors } from '../utils'
  35 import { cleanUpReqFiles } from '../../../helpers/express-utils'
  36 import { VideoModel } from '../../../models/video/video'
  37 import { checkUserCanTerminateOwnershipChange, doesChangeVideoOwnershipExist } from '../../../helpers/custom-validators/video-ownership'
  38 import { VideoChangeOwnershipAccept } from '../../../../shared/models/videos/video-change-ownership-accept.model'
  39 import { AccountModel } from '../../../models/account/account'
  40 import { VideoFetchType } from '../../../helpers/video'
  41 import { isNSFWQueryValid, isNumberArray, isStringArray } from '../../../helpers/custom-validators/search'
  42 import { getServerActor } from '../../../helpers/utils'
  43 import { CONFIG } from '../../../initializers/config'
  44 import { isLocalVideoAccepted } from '../../../lib/moderation'
  45 import { Hooks } from '../../../lib/plugins/hooks'
  46 import { checkUserCanManageVideo, doesVideoChannelOfAccountExist, doesVideoExist } from '../../../helpers/middlewares'
  47
  48 const videosAddValidator = getCommonVideoEditAttributes().concat([
  49   body('videofile')
  50     .custom((value, { req }) => isVideoFile(req.files)).withMessage(
  51       'This file is not supported or too large. Please, make sure it is of the following type: '
  52       + CONSTRAINTS_FIELDS.VIDEOS.EXTNAME.join(', ')
  53     ),
  54   body('name').custom(isVideoNameValid).withMessage('Should have a valid name'),
  55   body('channelId')
  56     .customSanitizer(toIntOrNull)
  57     .custom(isIdValid).withMessage('Should have correct video channel id'),
  58
  59   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  60     logger.debug('Checking videosAdd parameters', { parameters: req.body, files: req.files })
  61
  62     if (areValidationErrors(req, res)) return cleanUpReqFiles(req)
  63     if (areErrorsInScheduleUpdate(req, res)) return cleanUpReqFiles(req)
  64
  65     const videoFile: Express.Multer.File & { duration?: number } = req.files['videofile'][0]
  66     const user = res.locals.oauth.token.User
  67
  68     if (!await doesVideoChannelOfAccountExist(req.body.channelId, user, res)) return cleanUpReqFiles(req)
  69
  70     if (await user.isAbleToUploadVideo(videoFile) === false) {
  71       res.status(403)
  72          .json({ error: 'The user video quota is exceeded with this video.' })
  73
  74       return cleanUpReqFiles(req)
  75     }
  76
  77     let duration: number
  78
  79     try {
  80       duration = await getDurationFromVideoFile(videoFile.path)
  81     } catch (err) {
  82       logger.error('Invalid input file in videosAddValidator.', { err })
  83       res.status(400)
  84          .json({ error: 'Invalid input file.' })
  85
  86       return cleanUpReqFiles(req)
  87     }
  88
  89     videoFile.duration = duration
  90
  91     if (!await isVideoAccepted(req, res, videoFile)) return cleanUpReqFiles(req)
  92
  93     return next()
  94   }
  95 ])
  96
  97 const videosUpdateValidator = getCommonVideoEditAttributes().concat([
  98   param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
  99   body('name')
 100     .optional()
 101     .custom(isVideoNameValid).withMessage('Should have a valid name'),
 102   body('channelId')
 103     .optional()
 104     .customSanitizer(toIntOrNull)
 105     .custom(isIdValid).withMessage('Should have correct video channel id'),
 106
 107   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 108     logger.debug('Checking videosUpdate parameters', { parameters: req.body })
 109
 110     if (areValidationErrors(req, res)) return cleanUpReqFiles(req)
 111     if (areErrorsInScheduleUpdate(req, res)) return cleanUpReqFiles(req)
 112     if (!await doesVideoExist(req.params.id, res)) return cleanUpReqFiles(req)
 113
 114     // Check if the user who did the request is able to update the video
 115     const user = res.locals.oauth.token.User
 116     if (!checkUserCanManageVideo(user, res.locals.video, UserRight.UPDATE_ANY_VIDEO, res)) return cleanUpReqFiles(req)
 117
 118     if (req.body.channelId && !await doesVideoChannelOfAccountExist(req.body.channelId, user, res)) return cleanUpReqFiles(req)
 119
 120     return next()
 121   }
 122 ])
 123
 124 async function checkVideoFollowConstraints (req: express.Request, res: express.Response, next: express.NextFunction) {
 125   const video = res.locals.video
 126
 127   // Anybody can watch local videos
 128   if (video.isOwned() === true) return next()
 129
 130   // Logged user
 131   if (res.locals.oauth) {
 132     // Users can search or watch remote videos
 133     if (CONFIG.SEARCH.REMOTE_URI.USERS === true) return next()
 134   }
 135
 136   // Anybody can search or watch remote videos
 137   if (CONFIG.SEARCH.REMOTE_URI.ANONYMOUS === true) return next()
 138
 139   // Check our instance follows an actor that shared this video
 140   const serverActor = await getServerActor()
 141   if (await VideoModel.checkVideoHasInstanceFollow(video.id, serverActor.id) === true) return next()
 142
 143   return res.status(403)
 144             .json({
 145               error: 'Cannot get this video regarding follow constraints.'
 146             })
 147 }
 148
 149 const videosCustomGetValidator = (fetchType: VideoFetchType) => {
 150   return [
 151     param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
 152
 153     async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 154       logger.debug('Checking videosGet parameters', { parameters: req.params })
 155
 156       if (areValidationErrors(req, res)) return
 157       if (!await doesVideoExist(req.params.id, res, fetchType)) return
 158
 159       const video = res.locals.video
 160
 161       // Video private or blacklisted
 162       if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) {
 163         await authenticatePromiseIfNeeded(req, res)
 164
 165         const user = res.locals.oauth ? res.locals.oauth.token.User : null
 166
 167         // Only the owner or a user that have blacklist rights can see the video
 168         if (
 169           !user ||
 170           (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST))
 171         ) {
 172           return res.status(403)
 173                     .json({ error: 'Cannot get this private or blacklisted video.' })
 174         }
 175
 176         return next()
 177       }
 178
 179       // Video is public, anyone can access it
 180       if (video.privacy === VideoPrivacy.PUBLIC) return next()
 181
 182       // Video is unlisted, check we used the uuid to fetch it
 183       if (video.privacy === VideoPrivacy.UNLISTED) {
 184         if (isUUIDValid(req.params.id)) return next()
 185
 186         // Don't leak this unlisted video
 187         return res.status(404).end()
 188       }
 189     }
 190   ]
 191 }
 192
 193 const videosGetValidator = videosCustomGetValidator('all')
 194
 195 const videosRemoveValidator = [
 196   param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
 197
 198   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 199     logger.debug('Checking videosRemove parameters', { parameters: req.params })
 200
 201     if (areValidationErrors(req, res)) return
 202     if (!await doesVideoExist(req.params.id, res)) return
 203
 204     // Check if the user who did the request is able to delete the video
 205     if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.REMOVE_ANY_VIDEO, res)) return
 206
 207     return next()
 208   }
 209 ]
 210
 211 const videosChangeOwnershipValidator = [
 212   param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
 213
 214   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 215     logger.debug('Checking changeOwnership parameters', { parameters: req.params })
 216
 217     if (areValidationErrors(req, res)) return
 218     if (!await doesVideoExist(req.params.videoId, res)) return
 219
 220     // Check if the user who did the request is able to change the ownership of the video
 221     if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.CHANGE_VIDEO_OWNERSHIP, res)) return
 222
 223     const nextOwner = await AccountModel.loadLocalByName(req.body.username)
 224     if (!nextOwner) {
 225       res.status(400)
 226         .json({ error: 'Changing video ownership to a remote account is not supported yet' })
 227
 228       return
 229     }
 230     res.locals.nextOwner = nextOwner
 231
 232     return next()
 233   }
 234 ]
 235
 236 const videosTerminateChangeOwnershipValidator = [
 237   param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
 238
 239   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 240     logger.debug('Checking changeOwnership parameters', { parameters: req.params })
 241
 242     if (areValidationErrors(req, res)) return
 243     if (!await doesChangeVideoOwnershipExist(req.params.id, res)) return
 244
 245     // Check if the user who did the request is able to change the ownership of the video
 246     if (!checkUserCanTerminateOwnershipChange(res.locals.oauth.token.User, res.locals.videoChangeOwnership, res)) return
 247
 248     return next()
 249   },
 250   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 251     const videoChangeOwnership = res.locals.videoChangeOwnership
 252
 253     if (videoChangeOwnership.status === VideoChangeOwnershipStatus.WAITING) {
 254       return next()
 255     } else {
 256       res.status(403)
 257         .json({ error: 'Ownership already accepted or refused' })
 258
 259       return
 260     }
 261   }
 262 ]
 263
 264 const videosAcceptChangeOwnershipValidator = [
 265   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 266     const body = req.body as VideoChangeOwnershipAccept
 267     if (!await doesVideoChannelOfAccountExist(body.channelId, res.locals.oauth.token.User, res)) return
 268
 269     const user = res.locals.oauth.token.User
 270     const videoChangeOwnership = res.locals.videoChangeOwnership
 271     const isAble = await user.isAbleToUploadVideo(videoChangeOwnership.Video.getOriginalFile())
 272     if (isAble === false) {
 273       res.status(403)
 274         .json({ error: 'The user video quota is exceeded with this video.' })
 275
 276       return
 277     }
 278
 279     return next()
 280   }
 281 ]
 282
 283 function getCommonVideoEditAttributes () {
 284   return [
 285     body('thumbnailfile')
 286       .custom((value, { req }) => isVideoImage(req.files, 'thumbnailfile')).withMessage(
 287       'This thumbnail file is not supported or too large. Please, make sure it is of the following type: '
 288       + CONSTRAINTS_FIELDS.VIDEOS.IMAGE.EXTNAME.join(', ')
 289     ),
 290     body('previewfile')
 291       .custom((value, { req }) => isVideoImage(req.files, 'previewfile')).withMessage(
 292       'This preview file is not supported or too large. Please, make sure it is of the following type: '
 293       + CONSTRAINTS_FIELDS.VIDEOS.IMAGE.EXTNAME.join(', ')
 294     ),
 295
 296     body('category')
 297       .optional()
 298       .customSanitizer(toIntOrNull)
 299       .custom(isVideoCategoryValid).withMessage('Should have a valid category'),
 300     body('licence')
 301       .optional()
 302       .customSanitizer(toIntOrNull)
 303       .custom(isVideoLicenceValid).withMessage('Should have a valid licence'),
 304     body('language')
 305       .optional()
 306       .customSanitizer(toValueOrNull)
 307       .custom(isVideoLanguageValid).withMessage('Should have a valid language'),
 308     body('nsfw')
 309       .optional()
 310       .customSanitizer(toBooleanOrNull)
 311       .custom(isBooleanValid).withMessage('Should have a valid NSFW attribute'),
 312     body('waitTranscoding')
 313       .optional()
 314       .customSanitizer(toBooleanOrNull)
 315       .custom(isBooleanValid).withMessage('Should have a valid wait transcoding attribute'),
 316     body('privacy')
 317       .optional()
 318       .customSanitizer(toValueOrNull)
 319       .custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'),
 320     body('description')
 321       .optional()
 322       .customSanitizer(toValueOrNull)
 323       .custom(isVideoDescriptionValid).withMessage('Should have a valid description'),
 324     body('support')
 325       .optional()
 326       .customSanitizer(toValueOrNull)
 327       .custom(isVideoSupportValid).withMessage('Should have a valid support text'),
 328     body('tags')
 329       .optional()
 330       .customSanitizer(toValueOrNull)
 331       .custom(isVideoTagsValid).withMessage('Should have correct tags'),
 332     body('commentsEnabled')
 333       .optional()
 334       .customSanitizer(toBooleanOrNull)
 335       .custom(isBooleanValid).withMessage('Should have comments enabled boolean'),
 336     body('downloadEnabled')
 337       .optional()
 338       .customSanitizer(toBooleanOrNull)
 339       .custom(isBooleanValid).withMessage('Should have downloading enabled boolean'),
 340     body('originallyPublishedAt')
 341       .optional()
 342       .customSanitizer(toValueOrNull)
 343       .custom(isVideoOriginallyPublishedAtValid).withMessage('Should have a valid original publication date'),
 344     body('scheduleUpdate')
 345       .optional()
 346       .customSanitizer(toValueOrNull),
 347     body('scheduleUpdate.updateAt')
 348       .optional()
 349       .custom(isDateValid).withMessage('Should have a valid schedule update date'),
 350     body('scheduleUpdate.privacy')
 351       .optional()
 352       .customSanitizer(toIntOrNull)
 353       .custom(isScheduleVideoUpdatePrivacyValid).withMessage('Should have correct schedule update privacy')
 354   ] as (ValidationChain | express.Handler)[]
 355 }
 356
 357 const commonVideosFiltersValidator = [
 358   query('categoryOneOf')
 359     .optional()
 360     .customSanitizer(toArray)
 361     .custom(isNumberArray).withMessage('Should have a valid one of category array'),
 362   query('licenceOneOf')
 363     .optional()
 364     .customSanitizer(toArray)
 365     .custom(isNumberArray).withMessage('Should have a valid one of licence array'),
 366   query('languageOneOf')
 367     .optional()
 368     .customSanitizer(toArray)
 369     .custom(isStringArray).withMessage('Should have a valid one of language array'),
 370   query('tagsOneOf')
 371     .optional()
 372     .customSanitizer(toArray)
 373     .custom(isStringArray).withMessage('Should have a valid one of tags array'),
 374   query('tagsAllOf')
 375     .optional()
 376     .customSanitizer(toArray)
 377     .custom(isStringArray).withMessage('Should have a valid all of tags array'),
 378   query('nsfw')
 379     .optional()
 380     .custom(isNSFWQueryValid).withMessage('Should have a valid NSFW attribute'),
 381   query('filter')
 382     .optional()
 383     .custom(isVideoFilterValid).withMessage('Should have a valid filter attribute'),
 384
 385   (req: express.Request, res: express.Response, next: express.NextFunction) => {
 386     logger.debug('Checking commons video filters query', { parameters: req.query })
 387
 388     if (areValidationErrors(req, res)) return
 389
 390     const user = res.locals.oauth ? res.locals.oauth.token.User : undefined
 391     if (req.query.filter === 'all-local' && (!user || user.hasRight(UserRight.SEE_ALL_VIDEOS) === false)) {
 392       res.status(401)
 393          .json({ error: 'You are not allowed to see all local videos.' })
 394
 395       return
 396     }
 397
 398     return next()
 399   }
 400 ]
 401
 402 // ---------------------------------------------------------------------------
 403
 404 export {
 405   videosAddValidator,
 406   videosUpdateValidator,
 407   videosGetValidator,
 408   checkVideoFollowConstraints,
 409   videosCustomGetValidator,
 410   videosRemoveValidator,
 411
 412   videosChangeOwnershipValidator,
 413   videosTerminateChangeOwnershipValidator,
 414   videosAcceptChangeOwnershipValidator,
 415
 416   getCommonVideoEditAttributes,
 417
 418   commonVideosFiltersValidator
 419 }
 420
 421 // ---------------------------------------------------------------------------
 422
 423 function areErrorsInScheduleUpdate (req: express.Request, res: express.Response) {
 424   if (req.body.scheduleUpdate) {
 425     if (!req.body.scheduleUpdate.updateAt) {
 426       logger.warn('Invalid parameters: scheduleUpdate.updateAt is mandatory.')
 427
 428       res.status(400)
 429          .json({ error: 'Schedule update at is mandatory.' })
 430
 431       return true
 432     }
 433   }
 434
 435   return false
 436 }
 437
 438 async function isVideoAccepted (req: express.Request, res: express.Response, videoFile: Express.Multer.File & { duration?: number }) {
 439   // Check we accept this video
 440   const acceptParameters = {
 441     videoBody: req.body,
 442     videoFile,
 443     user: res.locals.oauth.token.User
 444   }
 445   const acceptedResult = await Hooks.wrapFun(
 446     isLocalVideoAccepted,
 447     acceptParameters,
 448     'filter:api.video.upload.accept.result'
 449   )
 450
 451   if (!acceptedResult || acceptedResult.accepted !== true) {
 452     logger.info('Refused local video.', { acceptedResult, acceptParameters })
 453     res.status(403)
 454        .json({ error: acceptedResult.errorMessage || 'Refused local video' })
 455
 456     return false
 457   }
 458
 459   return true
 460 }