X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fmiddlewares%2Fvalidators%2Fshared%2Fvideos.ts;h=ebbfc0a0a9242232c349dd070c612b4ac5d51549;hb=2f061e065ab43cc0b73595b619639a92952aeeba;hp=fc978b63ad443e3a80d143dcec84c52d42985cc9;hpb=4fc4541a26227dd880adfdd7599dea17b5b813f0;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts
index fc978b63a..ebbfc0a0a 100644
--- a/server/middlewares/validators/shared/videos.ts
+++ b/server/middlewares/validators/shared/videos.ts
@@ -1,12 +1,15 @@
 import { Request, Response } from 'express'
 import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
-import { authenticatePromiseIfNeeded } from '@server/middlewares/auth'
+import { isAbleToUploadVideo } from '@server/lib/user'
+import { VideoTokensManager } from '@server/lib/video-tokens-manager'
+import { authenticatePromise } from '@server/middlewares/auth'
 import { VideoModel } from '@server/models/video/video'
 import { VideoChannelModel } from '@server/models/video/video-channel'
 import { VideoFileModel } from '@server/models/video/video-file'
 import {
   MUser,
   MUserAccountId,
+  MUserId,
   MVideo,
   MVideoAccountLight,
   MVideoFormattableDetails,
@@ -16,18 +19,19 @@ import {
   MVideoThumbnail,
   MVideoWithRights
 } from '@server/types/models'
-import { HttpStatusCode, UserRight } from '@shared/models'
+import { HttpStatusCode, ServerErrorCode, UserRight, VideoPrivacy } from '@shared/models'
 
 async function doesVideoExist (id: number | string, res: Response, fetchType: VideoLoadType = 'all') {
   const userId = res.locals.oauth ? res.locals.oauth.token.User.id : undefined
 
   const video = await loadVideo(id, fetchType, userId)
 
-  if (video === null) {
+  if (!video) {
     res.fail({
       status: HttpStatusCode.NOT_FOUND_404,
       message: 'Video not found'
     })
+
     return false
   }
 
@@ -56,6 +60,8 @@ async function doesVideoExist (id: number | string, res: Response, fetchType: Vi
   return true
 }
 
+// ---------------------------------------------------------------------------
+
 async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number | string, res: Response) {
   if (!await VideoFileModel.doesVideoExistForVideoFile(id, videoIdOrUUID)) {
     res.fail({
@@ -68,6 +74,8 @@ async function doesVideoFileOfVideoExist (id: number, videoIdOrUUID: number | st
   return true
 }
 
+// ---------------------------------------------------------------------------
+
 async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAccountId, res: Response) {
   const videoChannel = await VideoChannelModel.loadAndPopulateAccount(channelId)
 
@@ -93,27 +101,103 @@ async function doesVideoChannelOfAccountExist (channelId: number, user: MUserAcc
   return true
 }
 
-async function checkCanSeeVideoIfPrivate (req: Request, res: Response, video: MVideo, authenticateInQuery = false) {
-  if (!video.requiresAuth()) return true
+// ---------------------------------------------------------------------------
+
+async function checkCanSeeVideo (options: {
+  req: Request
+  res: Response
+  paramId: string
+  video: MVideo
+}) {
+  const { req, res, video, paramId } = options
 
-  const videoWithRights = await VideoModel.loadAndPopulateAccountAndServerAndTags(video.id)
+  if (video.requiresAuth({ urlParamId: paramId, checkBlacklist: true })) {
+    return checkCanSeeAuthVideo(req, res, video)
+  }
+
+  if (video.privacy === VideoPrivacy.UNLISTED || video.privacy === VideoPrivacy.PUBLIC) {
+    return true
+  }
 
-  return checkCanSeePrivateVideo(req, res, videoWithRights, authenticateInQuery)
+  throw new Error('Unknown video privacy when checking video right ' + video.url)
 }
 
-async function checkCanSeePrivateVideo (req: Request, res: Response, video: MVideoWithRights, authenticateInQuery = false) {
-  await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
+async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoId | MVideoWithRights) {
+  const fail = () => {
+    res.fail({
+      status: HttpStatusCode.FORBIDDEN_403,
+      message: 'Cannot fetch information of private/internal/blocked video'
+    })
+
+    return false
+  }
+
+  await authenticatePromise(req, res)
+
+  const user = res.locals.oauth?.token.User
+  if (!user) return fail()
+
+  const videoWithRights = (video as MVideoWithRights).VideoChannel?.Account?.userId
+    ? video as MVideoWithRights
+    : await VideoModel.loadFull(video.id)
+
+  const privacy = videoWithRights.privacy
+
+  if (privacy === VideoPrivacy.INTERNAL) {
+    // We know we have a user
+    return true
+  }
+
+  const isOwnedByUser = videoWithRights.VideoChannel.Account.userId === user.id
+
+  if (videoWithRights.isBlacklisted()) {
+    if (isOwnedByUser || user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) return true
+
+    return fail()
+  }
 
-  const user = res.locals.oauth ? res.locals.oauth.token.User : null
+  if (privacy === VideoPrivacy.PRIVATE || privacy === VideoPrivacy.UNLISTED) {
+    if (isOwnedByUser || user.hasRight(UserRight.SEE_ALL_VIDEOS)) return true
 
-  // Only the owner or a user that have blocklist rights can see the video
-  if (!user || !user.canGetVideo(video)) {
+    return fail()
+  }
+
+  // Should not happen
+  return fail()
+}
+
+// ---------------------------------------------------------------------------
+
+async function checkCanAccessVideoStaticFiles (options: {
+  video: MVideo
+  req: Request
+  res: Response
+  paramId: string
+}) {
+  const { video, req, res } = options
+
+  if (res.locals.oauth?.token.User) {
+    return checkCanSeeVideo(options)
+  }
+
+  if (!video.hasPrivateStaticPath()) return true
+
+  const videoFileToken = req.query.videoFileToken
+  if (!videoFileToken) {
+    res.sendStatus(HttpStatusCode.FORBIDDEN_403)
     return false
   }
 
-  return true
+  if (VideoTokensManager.Instance.hasToken({ token: videoFileToken, videoUUID: video.uuid })) {
+    return true
+  }
+
+  res.sendStatus(HttpStatusCode.FORBIDDEN_403)
+  return false
 }
 
+// ---------------------------------------------------------------------------
+
 function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
   // Retrieve the user who did the request
   if (onlyOwned && video.isOwned() === false) {
@@ -141,11 +225,28 @@ function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right:
 
 // ---------------------------------------------------------------------------
 
+async function checkUserQuota (user: MUserId, videoFileSize: number, res: Response) {
+  if (await isAbleToUploadVideo(user.id, videoFileSize) === false) {
+    res.fail({
+      status: HttpStatusCode.PAYLOAD_TOO_LARGE_413,
+      message: 'The user video quota is exceeded with this video.',
+      type: ServerErrorCode.QUOTA_REACHED
+    })
+    return false
+  }
+
+  return true
+}
+
+// ---------------------------------------------------------------------------
+
 export {
   doesVideoChannelOfAccountExist,
   doesVideoExist,
   doesVideoFileOfVideoExist,
+
+  checkCanAccessVideoStaticFiles,
   checkUserCanManageVideo,
-  checkCanSeeVideoIfPrivate,
-  checkCanSeePrivateVideo
+  checkCanSeeVideo,
+  checkUserQuota
 }