X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fmiddlewares%2Fvalidators%2Fusers.ts;h=eceded1c4276efc0be4fd5e6f107cea1ae0e1de2;hb=22834691abb6e74d31654ffd2ebeaaaa8ef3ac7b;hp=5e8c8c29bc7fabe26d66a90f26e853da1f4f675a;hpb=0f6acda11681de90d38dd18669863c6e270851ee;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 5e8c8c29b..eceded1c4 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -14,7 +14,8 @@ import {
   isUserRoleValid,
   isUserUsernameValid,
   isUserVideoQuotaDailyValid,
-  isUserVideoQuotaValid, isUserVideosHistoryEnabledValid
+  isUserVideoQuotaValid,
+  isUserVideosHistoryEnabledValid
 } from '../../helpers/custom-validators/users'
 import { doesVideoExist } from '../../helpers/custom-validators/videos'
 import { logger } from '../../helpers/logger'
@@ -100,7 +101,7 @@ const usersBlockingValidator = [
 
 const deleteMeValidator = [
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
-    const user: UserModel = res.locals.oauth.token.User
+    const user = res.locals.oauth.token.User
     if (user.username === 'root') {
       return res.status(400)
                 .send({ error: 'You cannot delete your root account.' })
@@ -159,8 +160,7 @@ const usersUpdateMeValidator = [
                   .end()
       }
 
-      const user: UserModel = res.locals.oauth.token.User
-
+      const user = res.locals.oauth.token.User
       if (await user.isPasswordMatch(req.body.currentPassword) !== true) {
         return res.status(401)
                   .send({ error: 'currentPassword is invalid.' })
@@ -257,7 +257,7 @@ const usersResetPasswordValidator = [
     if (areValidationErrors(req, res)) return
     if (!await checkUserIdExist(req.params.id, res)) return
 
-    const user = res.locals.user as UserModel
+    const user = res.locals.user
     const redisVerificationString = await Redis.Instance.getResetPasswordLink(user.id)
 
     if (redisVerificationString !== req.body.verificationString) {
@@ -299,7 +299,7 @@ const usersVerifyEmailValidator = [
     if (areValidationErrors(req, res)) return
     if (!await checkUserIdExist(req.params.id, res)) return
 
-    const user = res.locals.user as UserModel
+    const user = res.locals.user
     const redisVerificationString = await Redis.Instance.getVerifyEmailLink(user.id)
 
     if (redisVerificationString !== req.body.verificationString) {
@@ -317,6 +317,20 @@ const userAutocompleteValidator = [
   param('search').isString().not().isEmpty().withMessage('Should have a search parameter')
 ]
 
+const ensureAuthUserOwnsAccountValidator = [
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    const user = res.locals.oauth.token.User
+
+    if (res.locals.account.id !== user.Account.id) {
+      return res.status(403)
+                .send({ error: 'Only owner can access ratings list.' })
+                .end()
+    }
+
+    return next()
+  }
+]
+
 // ---------------------------------------------------------------------------
 
 export {
@@ -335,7 +349,8 @@ export {
   usersResetPasswordValidator,
   usersAskSendVerifyEmailValidator,
   usersVerifyEmailValidator,
-  userAutocompleteValidator
+  userAutocompleteValidator,
+  ensureAuthUserOwnsAccountValidator
 }
 
 // ---------------------------------------------------------------------------