server/middlewares/validators/videos.ts

   1 import * as express from 'express'
   2 import 'express-validator'
   3 import { body, param, query } from 'express-validator/check'
   4 import { UserRight, VideoPrivacy } from '../../../shared'
   5 import { isBooleanValid, isIdOrUUIDValid, isIdValid, isUUIDValid } from '../../helpers/custom-validators/misc'
   6 import {
   7   isVideoAbuseReasonValid, isVideoCategoryValid, isVideoDescriptionValid, isVideoExist, isVideoFile, isVideoLanguageValid,
   8   isVideoLicenceValid, isVideoNameValid, isVideoPrivacyValid, isVideoRatingTypeValid, isVideoTagsValid
   9 } from '../../helpers/custom-validators/videos'
  10 import { getDurationFromVideoFile } from '../../helpers/ffmpeg-utils'
  11 import { logger } from '../../helpers/logger'
  12 import { CONSTRAINTS_FIELDS } from '../../initializers'
  13 import { UserModel } from '../../models/account/user'
  14 import { VideoModel } from '../../models/video/video'
  15 import { VideoChannelModel } from '../../models/video/video-channel'
  16 import { VideoShareModel } from '../../models/video/video-share'
  17 import { authenticate } from '../oauth'
  18 import { areValidationErrors } from './utils'
  19
  20 const videosAddValidator = [
  21   body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage(
  22     'This file is not supported. Please, make sure it is of the following type : '
  23     + CONSTRAINTS_FIELDS.VIDEOS.EXTNAME.join(', ')
  24   ),
  25   body('name').custom(isVideoNameValid).withMessage('Should have a valid name'),
  26   body('category').optional().custom(isVideoCategoryValid).withMessage('Should have a valid category'),
  27   body('licence').optional().custom(isVideoLicenceValid).withMessage('Should have a valid licence'),
  28   body('language').optional().custom(isVideoLanguageValid).withMessage('Should have a valid language'),
  29   body('nsfw').custom(isBooleanValid).withMessage('Should have a valid NSFW attribute'),
  30   body('description').optional().custom(isVideoDescriptionValid).withMessage('Should have a valid description'),
  31   body('channelId').custom(isIdValid).withMessage('Should have correct video channel id'),
  32   body('privacy').custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'),
  33   body('tags').optional().custom(isVideoTagsValid).withMessage('Should have correct tags'),
  34   body('commentsEnabled').custom(isBooleanValid).withMessage('Should have comments enabled boolean'),
  35
  36   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  37     logger.debug('Checking videosAdd parameters', { parameters: req.body, files: req.files })
  38
  39     if (areValidationErrors(req, res)) return
  40
  41     const videoFile: Express.Multer.File = req.files['videofile'][0]
  42     const user = res.locals.oauth.token.User
  43
  44     const videoChannel = await VideoChannelModel.loadByIdAndAccount(req.body.channelId, user.Account.id)
  45     if (!videoChannel) {
  46       res.status(400)
  47         .json({ error: 'Unknown video video channel for this account.' })
  48         .end()
  49
  50       return
  51     }
  52
  53     res.locals.videoChannel = videoChannel
  54
  55     const isAble = await user.isAbleToUploadVideo(videoFile)
  56     if (isAble === false) {
  57       res.status(403)
  58          .json({ error: 'The user video quota is exceeded with this video.' })
  59          .end()
  60
  61       return
  62     }
  63
  64     let duration: number
  65
  66     try {
  67       duration = await getDurationFromVideoFile(videoFile.path)
  68     } catch (err) {
  69       logger.error('Invalid input file in videosAddValidator.', err)
  70       res.status(400)
  71          .json({ error: 'Invalid input file.' })
  72          .end()
  73
  74       return
  75     }
  76
  77     videoFile['duration'] = duration
  78
  79     return next()
  80   }
  81 ]
  82
  83 const videosUpdateValidator = [
  84   param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
  85   body('name').optional().custom(isVideoNameValid).withMessage('Should have a valid name'),
  86   body('category').optional().custom(isVideoCategoryValid).withMessage('Should have a valid category'),
  87   body('licence').optional().custom(isVideoLicenceValid).withMessage('Should have a valid licence'),
  88   body('language').optional().custom(isVideoLanguageValid).withMessage('Should have a valid language'),
  89   body('nsfw').optional().custom(isBooleanValid).withMessage('Should have a valid NSFW attribute'),
  90   body('privacy').optional().custom(isVideoPrivacyValid).withMessage('Should have correct video privacy'),
  91   body('description').optional().custom(isVideoDescriptionValid).withMessage('Should have a valid description'),
  92   body('tags').optional().custom(isVideoTagsValid).withMessage('Should have correct tags'),
  93   body('commentsEnabled').optional().custom(isBooleanValid).withMessage('Should have comments enabled boolean'),
  94
  95   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  96     logger.debug('Checking videosUpdate parameters', { parameters: req.body })
  97
  98     if (areValidationErrors(req, res)) return
  99     if (!await isVideoExist(req.params.id, res)) return
 100
 101     const video = res.locals.video
 102
 103     // We need to make additional checks
 104     if (video.isOwned() === false) {
 105       return res.status(403)
 106                 .json({ error: 'Cannot update video of another server' })
 107                 .end()
 108     }
 109
 110     if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
 111       return res.status(403)
 112                 .json({ error: 'Cannot update video of another user' })
 113                 .end()
 114     }
 115
 116     if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) {
 117       return res.status(409)
 118         .json({ error: 'Cannot set "private" a video that was not private anymore.' })
 119         .end()
 120     }
 121
 122     return next()
 123   }
 124 ]
 125
 126 const videosGetValidator = [
 127   param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
 128
 129   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 130     logger.debug('Checking videosGet parameters', { parameters: req.params })
 131
 132     if (areValidationErrors(req, res)) return
 133     if (!await isVideoExist(req.params.id, res)) return
 134
 135     const video = res.locals.video
 136
 137     // Video is public, anyone can access it
 138     if (video.privacy === VideoPrivacy.PUBLIC) return next()
 139
 140     // Video is unlisted, check we used the uuid to fetch it
 141     if (video.privacy === VideoPrivacy.UNLISTED) {
 142       if (isUUIDValid(req.params.id)) return next()
 143
 144       // Don't leak this unlisted video
 145       return res.status(404).end()
 146     }
 147
 148     // Video is private, check the user
 149     authenticate(req, res, () => {
 150       if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
 151         return res.status(403)
 152           .json({ error: 'Cannot get this private video of another user' })
 153           .end()
 154       }
 155
 156       return next()
 157     })
 158   }
 159 ]
 160
 161 const videosRemoveValidator = [
 162   param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
 163
 164   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 165     logger.debug('Checking videosRemove parameters', { parameters: req.params })
 166
 167     if (areValidationErrors(req, res)) return
 168     if (!await isVideoExist(req.params.id, res)) return
 169
 170     // Check if the user who did the request is able to delete the video
 171     if (!checkUserCanDeleteVideo(res.locals.oauth.token.User, res.locals.video, res)) return
 172
 173     return next()
 174   }
 175 ]
 176
 177 const videosSearchValidator = [
 178   query('search').not().isEmpty().withMessage('Should have a valid search'),
 179
 180   (req: express.Request, res: express.Response, next: express.NextFunction) => {
 181     logger.debug('Checking videosSearch parameters', { parameters: req.params })
 182
 183     if (areValidationErrors(req, res)) return
 184
 185     return next()
 186   }
 187 ]
 188
 189 const videoAbuseReportValidator = [
 190   param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
 191   body('reason').custom(isVideoAbuseReasonValid).withMessage('Should have a valid reason'),
 192
 193   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 194     logger.debug('Checking videoAbuseReport parameters', { parameters: req.body })
 195
 196     if (areValidationErrors(req, res)) return
 197     if (!await isVideoExist(req.params.id, res)) return
 198
 199     return next()
 200   }
 201 ]
 202
 203 const videoRateValidator = [
 204   param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
 205   body('rating').custom(isVideoRatingTypeValid).withMessage('Should have a valid rate type'),
 206
 207   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 208     logger.debug('Checking videoRate parameters', { parameters: req.body })
 209
 210     if (areValidationErrors(req, res)) return
 211     if (!await isVideoExist(req.params.id, res)) return
 212
 213     return next()
 214   }
 215 ]
 216
 217 const videosShareValidator = [
 218   param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
 219   param('accountId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid account id'),
 220
 221   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
 222     logger.debug('Checking videoShare parameters', { parameters: req.params })
 223
 224     if (areValidationErrors(req, res)) return
 225     if (!await isVideoExist(req.params.id, res)) return
 226
 227     const share = await VideoShareModel.load(req.params.accountId, res.locals.video.id, undefined)
 228     if (!share) {
 229       return res.status(404)
 230         .end()
 231     }
 232
 233     res.locals.videoShare = share
 234     return next()
 235   }
 236 ]
 237
 238 // ---------------------------------------------------------------------------
 239
 240 export {
 241   videosAddValidator,
 242   videosUpdateValidator,
 243   videosGetValidator,
 244   videosRemoveValidator,
 245   videosSearchValidator,
 246   videosShareValidator,
 247
 248   videoAbuseReportValidator,
 249
 250   videoRateValidator
 251 }
 252
 253 // ---------------------------------------------------------------------------
 254
 255 function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: express.Response) {
 256   // Retrieve the user who did the request
 257   if (video.isOwned() === false) {
 258     res.status(403)
 259               .json({ error: 'Cannot remove video of another server, blacklist it' })
 260               .end()
 261     return false
 262   }
 263
 264   // Check if the user can delete the video
 265   // The user can delete it if he has the right
 266   // Or if s/he is the video's account
 267   const account = video.VideoChannel.Account
 268   if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) {
 269     res.status(403)
 270               .json({ error: 'Cannot remove video of another user' })
 271               .end()
 272     return false
 273   }
 274
 275   return true
 276 }