1 import * as express from 'express'
2 import 'express-validator'
3 import { body, param, query, ValidationChain } from 'express-validator/check'
4 import { UserRight, VideoChangeOwnershipStatus, VideoPrivacy } from '../../../../shared'
14 } from '../../../helpers/custom-validators/misc'
16 checkUserCanManageVideo,
17 isScheduleVideoUpdatePrivacyValid,
19 isVideoChannelOfAccountExist,
20 isVideoDescriptionValid,
31 } from '../../../helpers/custom-validators/videos'
32 import { getDurationFromVideoFile } from '../../../helpers/ffmpeg-utils'
33 import { logger } from '../../../helpers/logger'
34 import { CONFIG, CONSTRAINTS_FIELDS } from '../../../initializers'
35 import { authenticatePromiseIfNeeded } from '../../oauth'
36 import { areValidationErrors } from '../utils'
37 import { cleanUpReqFiles } from '../../../helpers/express-utils'
38 import { VideoModel } from '../../../models/video/video'
39 import { UserModel } from '../../../models/account/user'
40 import { checkUserCanTerminateOwnershipChange, doesChangeVideoOwnershipExist } from '../../../helpers/custom-validators/video-ownership'
41 import { VideoChangeOwnershipAccept } from '../../../../shared/models/videos/video-change-ownership-accept.model'
42 import { VideoChangeOwnershipModel } from '../../../models/video/video-change-ownership'
43 import { AccountModel } from '../../../models/account/account'
44 import { VideoFetchType } from '../../../helpers/video'
45 import { isNSFWQueryValid, isNumberArray, isStringArray } from '../../../helpers/custom-validators/search'
46 import { getServerActor } from '../../../helpers/utils'
48 const videosAddValidator = getCommonVideoAttributes().concat([
50 .custom((value, { req }) => isVideoFile(req.files)).withMessage(
51 'This file is not supported or too large. Please, make sure it is of the following type: '
52 + CONSTRAINTS_FIELDS.VIDEOS.EXTNAME.join(', ')
54 body('name').custom(isVideoNameValid).withMessage('Should have a valid name'),
57 .custom(isIdValid).withMessage('Should have correct video channel id'),
59 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
60 logger.debug('Checking videosAdd parameters', { parameters: req.body, files: req.files })
62 if (areValidationErrors(req, res)) return cleanUpReqFiles(req)
63 if (areErrorsInScheduleUpdate(req, res)) return cleanUpReqFiles(req)
65 const videoFile: Express.Multer.File = req.files['videofile'][0]
66 const user = res.locals.oauth.token.User
68 if (!await isVideoChannelOfAccountExist(req.body.channelId, user, res)) return cleanUpReqFiles(req)
70 const isAble = await user.isAbleToUploadVideo(videoFile)
71 if (isAble === false) {
73 .json({ error: 'The user video quota is exceeded with this video.' })
75 return cleanUpReqFiles(req)
81 duration = await getDurationFromVideoFile(videoFile.path)
83 logger.error('Invalid input file in videosAddValidator.', { err })
85 .json({ error: 'Invalid input file.' })
87 return cleanUpReqFiles(req)
90 videoFile['duration'] = duration
96 const videosUpdateValidator = getCommonVideoAttributes().concat([
97 param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
100 .custom(isVideoNameValid).withMessage('Should have a valid name'),
104 .custom(isIdValid).withMessage('Should have correct video channel id'),
106 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
107 logger.debug('Checking videosUpdate parameters', { parameters: req.body })
109 if (areValidationErrors(req, res)) return cleanUpReqFiles(req)
110 if (areErrorsInScheduleUpdate(req, res)) return cleanUpReqFiles(req)
111 if (!await isVideoExist(req.params.id, res)) return cleanUpReqFiles(req)
113 const video = res.locals.video
115 // Check if the user who did the request is able to update the video
116 const user = res.locals.oauth.token.User
117 if (!checkUserCanManageVideo(user, res.locals.video, UserRight.UPDATE_ANY_VIDEO, res)) return cleanUpReqFiles(req)
119 if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) {
121 return res.status(409)
122 .json({ error: 'Cannot set "private" a video that was not private.' })
125 if (req.body.channelId && !await isVideoChannelOfAccountExist(req.body.channelId, user, res)) return cleanUpReqFiles(req)
131 async function checkVideoFollowConstraints (req: express.Request, res: express.Response, next: express.NextFunction) {
132 const video: VideoModel = res.locals.video
134 // Anybody can watch local videos
135 if (video.isOwned() === true) return next()
138 if (res.locals.oauth) {
139 // Users can search or watch remote videos
140 if (CONFIG.SEARCH.REMOTE_URI.USERS === true) return next()
143 // Anybody can search or watch remote videos
144 if (CONFIG.SEARCH.REMOTE_URI.ANONYMOUS === true) return next()
146 // Check our instance follows an actor that shared this video
147 const serverActor = await getServerActor()
148 if (await VideoModel.checkVideoHasInstanceFollow(video.id, serverActor.id) === true) return next()
150 return res.status(403)
152 error: 'Cannot get this video regarding follow constraints.'
156 const videosCustomGetValidator = (fetchType: VideoFetchType) => {
158 param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
160 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
161 logger.debug('Checking videosGet parameters', { parameters: req.params })
163 if (areValidationErrors(req, res)) return
164 if (!await isVideoExist(req.params.id, res, fetchType)) return
166 const video: VideoModel = res.locals.video
168 // Video private or blacklisted
169 if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) {
170 await authenticatePromiseIfNeeded(req, res)
172 const user: UserModel = res.locals.oauth ? res.locals.oauth.token.User : null
174 // Only the owner or a user that have blacklist rights can see the video
177 (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST))
179 return res.status(403)
180 .json({ error: 'Cannot get this private or blacklisted video.' })
186 // Video is public, anyone can access it
187 if (video.privacy === VideoPrivacy.PUBLIC) return next()
189 // Video is unlisted, check we used the uuid to fetch it
190 if (video.privacy === VideoPrivacy.UNLISTED) {
191 if (isUUIDValid(req.params.id)) return next()
193 // Don't leak this unlisted video
194 return res.status(404).end()
200 const videosGetValidator = videosCustomGetValidator('all')
202 const videosRemoveValidator = [
203 param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
205 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
206 logger.debug('Checking videosRemove parameters', { parameters: req.params })
208 if (areValidationErrors(req, res)) return
209 if (!await isVideoExist(req.params.id, res)) return
211 // Check if the user who did the request is able to delete the video
212 if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.REMOVE_ANY_VIDEO, res)) return
218 const videosChangeOwnershipValidator = [
219 param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
221 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
222 logger.debug('Checking changeOwnership parameters', { parameters: req.params })
224 if (areValidationErrors(req, res)) return
225 if (!await isVideoExist(req.params.videoId, res)) return
227 // Check if the user who did the request is able to change the ownership of the video
228 if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.CHANGE_VIDEO_OWNERSHIP, res)) return
230 const nextOwner = await AccountModel.loadLocalByName(req.body.username)
233 .json({ error: 'Changing video ownership to a remote account is not supported yet' })
237 res.locals.nextOwner = nextOwner
243 const videosTerminateChangeOwnershipValidator = [
244 param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
246 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
247 logger.debug('Checking changeOwnership parameters', { parameters: req.params })
249 if (areValidationErrors(req, res)) return
250 if (!await doesChangeVideoOwnershipExist(req.params.id, res)) return
252 // Check if the user who did the request is able to change the ownership of the video
253 if (!checkUserCanTerminateOwnershipChange(res.locals.oauth.token.User, res.locals.videoChangeOwnership, res)) return
257 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
258 const videoChangeOwnership = res.locals.videoChangeOwnership as VideoChangeOwnershipModel
260 if (videoChangeOwnership.status === VideoChangeOwnershipStatus.WAITING) {
264 .json({ error: 'Ownership already accepted or refused' })
271 const videosAcceptChangeOwnershipValidator = [
272 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
273 const body = req.body as VideoChangeOwnershipAccept
274 if (!await isVideoChannelOfAccountExist(body.channelId, res.locals.oauth.token.User, res)) return
276 const user = res.locals.oauth.token.User
277 const videoChangeOwnership = res.locals.videoChangeOwnership as VideoChangeOwnershipModel
278 const isAble = await user.isAbleToUploadVideo(videoChangeOwnership.Video.getOriginalFile())
279 if (isAble === false) {
281 .json({ error: 'The user video quota is exceeded with this video.' })
290 function getCommonVideoAttributes () {
292 body('thumbnailfile')
293 .custom((value, { req }) => isVideoImage(req.files, 'thumbnailfile')).withMessage(
294 'This thumbnail file is not supported or too large. Please, make sure it is of the following type: '
295 + CONSTRAINTS_FIELDS.VIDEOS.IMAGE.EXTNAME.join(', ')
298 .custom((value, { req }) => isVideoImage(req.files, 'previewfile')).withMessage(
299 'This preview file is not supported or too large. Please, make sure it is of the following type: '
300 + CONSTRAINTS_FIELDS.VIDEOS.IMAGE.EXTNAME.join(', ')
305 .customSanitizer(toIntOrNull)
306 .custom(isVideoCategoryValid).withMessage('Should have a valid category'),
309 .customSanitizer(toIntOrNull)
310 .custom(isVideoLicenceValid).withMessage('Should have a valid licence'),
313 .customSanitizer(toValueOrNull)
314 .custom(isVideoLanguageValid).withMessage('Should have a valid language'),
318 .custom(isBooleanValid).withMessage('Should have a valid NSFW attribute'),
319 body('waitTranscoding')
322 .custom(isBooleanValid).withMessage('Should have a valid wait transcoding attribute'),
326 .custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'),
329 .customSanitizer(toValueOrNull)
330 .custom(isVideoDescriptionValid).withMessage('Should have a valid description'),
333 .customSanitizer(toValueOrNull)
334 .custom(isVideoSupportValid).withMessage('Should have a valid support text'),
337 .customSanitizer(toValueOrNull)
338 .custom(isVideoTagsValid).withMessage('Should have correct tags'),
339 body('commentsEnabled')
342 .custom(isBooleanValid).withMessage('Should have comments enabled boolean'),
343 body('downloadEnabled')
346 .custom(isBooleanValid).withMessage('Should have downloading enabled boolean'),
348 body('scheduleUpdate')
350 .customSanitizer(toValueOrNull),
351 body('scheduleUpdate.updateAt')
353 .custom(isDateValid).withMessage('Should have a valid schedule update date'),
354 body('scheduleUpdate.privacy')
357 .custom(isScheduleVideoUpdatePrivacyValid).withMessage('Should have correct schedule update privacy')
358 ] as (ValidationChain | express.Handler)[]
361 const commonVideosFiltersValidator = [
362 query('categoryOneOf')
364 .customSanitizer(toArray)
365 .custom(isNumberArray).withMessage('Should have a valid one of category array'),
366 query('licenceOneOf')
368 .customSanitizer(toArray)
369 .custom(isNumberArray).withMessage('Should have a valid one of licence array'),
370 query('languageOneOf')
372 .customSanitizer(toArray)
373 .custom(isStringArray).withMessage('Should have a valid one of language array'),
376 .customSanitizer(toArray)
377 .custom(isStringArray).withMessage('Should have a valid one of tags array'),
380 .customSanitizer(toArray)
381 .custom(isStringArray).withMessage('Should have a valid all of tags array'),
384 .custom(isNSFWQueryValid).withMessage('Should have a valid NSFW attribute'),
387 .custom(isVideoFilterValid).withMessage('Should have a valid filter attribute'),
389 (req: express.Request, res: express.Response, next: express.NextFunction) => {
390 logger.debug('Checking commons video filters query', { parameters: req.query })
392 if (areValidationErrors(req, res)) return
394 const user: UserModel = res.locals.oauth ? res.locals.oauth.token.User : undefined
395 if (req.query.filter === 'all-local' && (!user || user.hasRight(UserRight.SEE_ALL_VIDEOS) === false)) {
397 .json({ error: 'You are not allowed to see all local videos.' })
406 // ---------------------------------------------------------------------------
410 videosUpdateValidator,
412 checkVideoFollowConstraints,
413 videosCustomGetValidator,
414 videosRemoveValidator,
416 videosChangeOwnershipValidator,
417 videosTerminateChangeOwnershipValidator,
418 videosAcceptChangeOwnershipValidator,
420 getCommonVideoAttributes,
422 commonVideosFiltersValidator
425 // ---------------------------------------------------------------------------
427 function areErrorsInScheduleUpdate (req: express.Request, res: express.Response) {
428 if (req.body.scheduleUpdate) {
429 if (!req.body.scheduleUpdate.updateAt) {
430 logger.warn('Invalid parameters: scheduleUpdate.updateAt is mandatory.')
433 .json({ error: 'Schedule update at is mandatory.' })