X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fcontrollers%2Fapi%2Fusers%2Findex.ts;h=27351c1a954b8d68ed648fac005e5462bacc0962;hb=001ed2d40c8d2c8f494f5dc7f91ed62d56df10fd;hp=c1d72087cc3a5508fa0f300f9c80c38c6b7b2231;hpb=b6a1dd4d1b3b0032f8b968e72cbd074f646e8827;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index c1d72087c..27351c1a9 100644
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -3,7 +3,7 @@ import * as RateLimit from 'express-rate-limit'
 import { UserCreate, UserRight, UserRole, UserUpdate } from '../../../../shared'
 import { logger } from '../../../helpers/logger'
 import { getFormattedObjects } from '../../../helpers/utils'
-import { RATES_LIMIT, WEBSERVER } from '../../../initializers/constants'
+import { WEBSERVER } from '../../../initializers/constants'
 import { Emailer } from '../../../lib/emailer'
 import { Redis } from '../../../lib/redis'
 import { createUserAccountAndChannelAndPlaylist, sendVerifyUserEmail } from '../../../lib/user'
@@ -31,7 +31,8 @@ import {
   usersAskSendVerifyEmailValidator,
   usersBlockingValidator,
   usersResetPasswordValidator,
-  usersVerifyEmailValidator
+  usersVerifyEmailValidator,
+  ensureCanManageUser
 } from '../../../middlewares/validators'
 import { UserModel } from '../../../models/account/user'
 import { auditLoggerFactory, getAuditIdFromRes, UserAuditView } from '../../../helpers/audit-logger'
@@ -47,20 +48,28 @@ import { CONFIG } from '../../../initializers/config'
 import { sequelizeTypescript } from '../../../initializers/database'
 import { UserAdminFlag } from '../../../../shared/models/users/user-flag.model'
 import { UserRegister } from '../../../../shared/models/users/user-register.model'
+import { MUser, MUserAccountDefault } from '@server/typings/models'
 
 const auditLogger = auditLoggerFactory('users')
 
 // FIXME: https://github.com/nfriedly/express-rate-limit/issues/138
 // @ts-ignore
 const loginRateLimiter = RateLimit({
-  windowMs: RATES_LIMIT.LOGIN.WINDOW_MS,
-  max: RATES_LIMIT.LOGIN.MAX
+  windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
+  max: CONFIG.RATES_LIMIT.LOGIN.MAX
+})
+
+// @ts-ignore
+const signupRateLimiter = RateLimit({
+  windowMs: CONFIG.RATES_LIMIT.SIGNUP.WINDOW_MS,
+  max: CONFIG.RATES_LIMIT.SIGNUP.MAX,
+  skipFailedRequests: true
 })
 
 // @ts-ignore
 const askSendEmailLimiter = new RateLimit({
-  windowMs: RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
-  max: RATES_LIMIT.ASK_SEND_EMAIL.MAX
+  windowMs: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
+  max: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.MAX
 })
 
 const usersRouter = express.Router()
@@ -90,12 +99,14 @@ usersRouter.post('/:id/block',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersBlockingValidator),
+  ensureCanManageUser,
   asyncMiddleware(blockUser)
 )
 usersRouter.post('/:id/unblock',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersBlockingValidator),
+  ensureCanManageUser,
   asyncMiddleware(unblockUser)
 )
 
@@ -114,6 +125,7 @@ usersRouter.post('/',
 )
 
 usersRouter.post('/register',
+  signupRateLimiter,
   asyncMiddleware(ensureUserRegistrationAllowed),
   ensureUserRegistrationAllowedForIP,
   asyncMiddleware(usersRegisterValidator),
@@ -124,6 +136,7 @@ usersRouter.put('/:id',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersUpdateValidator),
+  ensureCanManageUser,
   asyncMiddleware(updateUser)
 )
 
@@ -131,6 +144,7 @@ usersRouter.delete('/:id',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersRemoveValidator),
+  ensureCanManageUser,
   asyncMiddleware(removeUser)
 )
 
@@ -182,7 +196,7 @@ async function createUser (req: express.Request, res: express.Response) {
     videoQuota: body.videoQuota,
     videoQuotaDaily: body.videoQuotaDaily,
     adminFlags: body.adminFlags || UserAdminFlag.NONE
-  })
+  }) as MUser
 
   const { user, account } = await createUserAccountAndChannelAndPlaylist({ userToCreate: userToCreate })
 
@@ -346,7 +360,7 @@ function success (req: express.Request, res: express.Response) {
   res.end()
 }
 
-async function changeUserBlock (res: express.Response, user: UserModel, block: boolean, reason?: string) {
+async function changeUserBlock (res: express.Response, user: MUserAccountDefault, block: boolean, reason?: string) {
   const oldUserAuditView = new UserAuditView(user.toFormattedJSON())
 
   user.blocked = block