X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fmiddlewares%2Fvalidators%2Fshared%2Fvideos.ts;h=2c2ae381127f4294e3b42ef24cd5bff2f6b3d654;hb=83b1b7eaf1c04837f92de497e74895bee808eb83;hp=8807435f6c9b6d3cb274564fd9a1b170ad4a88f7;hpb=c729caf6cc34630877a0e5a1bda1719384cd0c8a;p=github%2FChocobozzz%2FPeerTube.git diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts index 8807435f6..2c2ae3811 100644 --- a/server/middlewares/validators/shared/videos.ts +++ b/server/middlewares/validators/shared/videos.ts @@ -1,7 +1,8 @@ import { Request, Response } from 'express' +import { isUUIDValid } from '@server/helpers/custom-validators/misc' import { loadVideo, VideoLoadType } from '@server/lib/model-loaders' import { isAbleToUploadVideo } from '@server/lib/user' -import { authenticatePromiseIfNeeded } from '@server/middlewares/auth' +import { authenticatePromise } from '@server/middlewares/auth' import { VideoModel } from '@server/models/video/video' import { VideoChannelModel } from '@server/models/video/video-channel' import { VideoFileModel } from '@server/models/video/video-file' @@ -18,18 +19,19 @@ import { MVideoThumbnail, MVideoWithRights } from '@server/types/models' -import { HttpStatusCode, ServerErrorCode, UserRight } from '@shared/models' +import { HttpStatusCode, ServerErrorCode, UserRight, VideoPrivacy } from '@shared/models' async function doesVideoExist (id: number | string, res: Response, fetchType: VideoLoadType = 'all') { const userId = res.locals.oauth ? res.locals.oauth.token.User.id : undefined const video = await loadVideo(id, fetchType, userId) - if (video === null) { + if (!video) { res.fail({ status: HttpStatusCode.NOT_FOUND_404, message: 'Video not found' }) + return false } @@ -58,6 +60,8 @@ async function doesVideoExist (id: number | string, res: Response, fetchType: Vi return true } +// --------------------------------------------------------------------------- + async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number | string, res: Response) { if (!await VideoFileModel.doesVideoExistForVideoFile(id, videoIdOrUUID)) { res.fail({ @@ -70,6 +74,8 @@ async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number | st return true } +// --------------------------------------------------------------------------- + async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAccountId, res: Response) { const videoChannel = await VideoChannelModel.loadAndPopulateAccount(channelId) @@ -95,32 +101,78 @@ async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAcc return true } -async function checkCanSeeVideoIfPrivate (req: Request, res: Response, video: MVideo, authenticateInQuery = false) { - if (!video.requiresAuth()) return true +// --------------------------------------------------------------------------- - const videoWithRights = await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id) +async function checkCanSeeVideo (options: { + req: Request + res: Response + paramId: string + video: MVideo + authenticateInQuery?: boolean // default false +}) { + const { req, res, video, paramId, authenticateInQuery = false } = options + + if (video.requiresAuth()) { + return checkCanSeeAuthVideo(req, res, video, authenticateInQuery) + } - return checkCanSeePrivateVideo(req, res, videoWithRights, authenticateInQuery) -} + if (video.privacy === VideoPrivacy.UNLISTED) { + if (isUUIDValid(paramId)) return true -async function checkCanSeePrivateVideo (req: Request, res: Response, video: MVideoWithRights, authenticateInQuery = false) { - await authenticatePromiseIfNeeded(req, res, authenticateInQuery) + return checkCanSeeAuthVideo(req, res, video, authenticateInQuery) + } + + if (video.privacy === VideoPrivacy.PUBLIC) return true - const user = res.locals.oauth ? res.locals.oauth.token.User : null + throw new Error('Fatal error when checking video right ' + video.url) +} - // Only the owner or a user that have blocklist rights can see the video - if (!user || !user.canGetVideo(video)) { +async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoId | MVideoWithRights, authenticateInQuery = false) { + const fail = () => { res.fail({ status: HttpStatusCode.FORBIDDEN_403, - message: 'Cannot fetch information of private/internal/blocklisted video' + message: 'Cannot fetch information of private/internal/blocked video' }) return false } - return true + await authenticatePromise(req, res, authenticateInQuery) + + const user = res.locals.oauth?.token.User + if (!user) return fail() + + const videoWithRights = (video as MVideoWithRights).VideoChannel?.Account?.userId + ? video as MVideoWithRights + : await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id) + + const privacy = videoWithRights.privacy + + if (privacy === VideoPrivacy.INTERNAL) { + // We know we have a user + return true + } + + const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id + + if (videoWithRights.isBlacklisted()) { + if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true + + return fail() + } + + if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) { + if (isOwnedByUser || user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true + + return fail() + } + + // Should not happen + return fail() } +// --------------------------------------------------------------------------- + function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) { // Retrieve the user who did the request if (onlyOwned && video.isOwned() === false) { @@ -146,6 +198,8 @@ function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: return true } +// --------------------------------------------------------------------------- + async function checkUserQuota (user: MUserId, videoFileSize: number, res: Response) { if (await isAbleToUploadVideo(user.id, videoFileSize) === false) { res.fail({ @@ -167,7 +221,6 @@ export { doesVideoFileOfVideoExist, checkUserCanManageVideo, - checkCanSeeVideoIfPrivate, - checkCanSeePrivateVideo, + checkCanSeeVideo, checkUserQuota }