X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fmiddlewares%2Fvalidators%2Fvideos%2Fvideo-comments.ts;h=133feb7bd4453ab09bb24b6f7f86892ff5cc21a2;hb=4f3814808791d8f380e75d152e0e14a01b758b9a;hp=ffde208b71209aa03b1e4c03e72a82330f64570e;hpb=97567dd81f508dd6295ac4d73d849aa2ce0a6549;p=github%2FChocobozzz%2FPeerTube.git diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts index ffde208b7..133feb7bd 100644 --- a/server/middlewares/validators/videos/video-comments.ts +++ b/server/middlewares/validators/videos/video-comments.ts @@ -1,103 +1,152 @@ -import * as express from 'express' -import { body, param } from 'express-validator/check' -import { UserRight } from '../../../../shared' -import { isIdOrUUIDValid, isIdValid } from '../../../helpers/custom-validators/misc' +import express from 'express' +import { body, param, query } from 'express-validator' +import { MUserAccountUrl } from '@server/types/models' +import { HttpStatusCode, UserRight } from '@shared/models' +import { exists, isBooleanValid, isIdValid, toBooleanOrNull } from '../../../helpers/custom-validators/misc' import { isValidVideoCommentText } from '../../../helpers/custom-validators/video-comments' -import { doesVideoExist } from '../../../helpers/custom-validators/videos' import { logger } from '../../../helpers/logger' -import { UserModel } from '../../../models/account/user' -import { VideoModel } from '../../../models/video/video' -import { VideoCommentModel } from '../../../models/video/video-comment' -import { areValidationErrors } from '../utils' +import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation' +import { Hooks } from '../../../lib/plugins/hooks' +import { MCommentOwnerVideoReply, MVideo, MVideoFullLight } from '../../../types/models/video' +import { + areValidationErrors, + checkCanSeeVideo, + doesVideoCommentExist, + doesVideoCommentThreadExist, + doesVideoExist, + isValidVideoIdParam +} from '../shared' + +const listVideoCommentsValidator = [ + query('isLocal') + .optional() + .customSanitizer(toBooleanOrNull) + .custom(isBooleanValid) + .withMessage('Should have a valid isLocal boolean'), + + query('onLocalVideo') + .optional() + .customSanitizer(toBooleanOrNull) + .custom(isBooleanValid) + .withMessage('Should have a valid onLocalVideo boolean'), + + query('search') + .optional() + .custom(exists), + + query('searchAccount') + .optional() + .custom(exists), + + query('searchVideo') + .optional() + .custom(exists), + + (req: express.Request, res: express.Response, next: express.NextFunction) => { + if (areValidationErrors(req, res)) return + + return next() + } +] const listVideoCommentThreadsValidator = [ - param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'), + isValidVideoIdParam('videoId'), async (req: express.Request, res: express.Response, next: express.NextFunction) => { - logger.debug('Checking listVideoCommentThreads parameters.', { parameters: req.params }) - if (areValidationErrors(req, res)) return if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return + if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.onlyVideo })) return + return next() } ] const listVideoThreadCommentsValidator = [ - param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'), - param('threadId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid threadId'), + isValidVideoIdParam('videoId'), - async (req: express.Request, res: express.Response, next: express.NextFunction) => { - logger.debug('Checking listVideoThreadComments parameters.', { parameters: req.params }) + param('threadId') + .custom(isIdValid), + async (req: express.Request, res: express.Response, next: express.NextFunction) => { if (areValidationErrors(req, res)) return if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return - if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.video, res)) return + if (!await doesVideoCommentThreadExist(req.params.threadId, res.locals.onlyVideo, res)) return + + if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.onlyVideo })) return return next() } ] const addVideoCommentThreadValidator = [ - param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'), - body('text').custom(isValidVideoCommentText).not().isEmpty().withMessage('Should have a valid comment text'), + isValidVideoIdParam('videoId'), - async (req: express.Request, res: express.Response, next: express.NextFunction) => { - logger.debug('Checking addVideoCommentThread parameters.', { parameters: req.params, body: req.body }) + body('text') + .custom(isValidVideoCommentText), + async (req: express.Request, res: express.Response, next: express.NextFunction) => { if (areValidationErrors(req, res)) return if (!await doesVideoExist(req.params.videoId, res)) return - if (!isVideoCommentsEnabled(res.locals.video, res)) return + + if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.videoAll })) return + + if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return + if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, false)) return return next() } ] const addVideoCommentReplyValidator = [ - param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'), - param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'), - body('text').custom(isValidVideoCommentText).not().isEmpty().withMessage('Should have a valid comment text'), + isValidVideoIdParam('videoId'), - async (req: express.Request, res: express.Response, next: express.NextFunction) => { - logger.debug('Checking addVideoCommentReply parameters.', { parameters: req.params, body: req.body }) + param('commentId').custom(isIdValid), + + body('text').custom(isValidVideoCommentText), + async (req: express.Request, res: express.Response, next: express.NextFunction) => { if (areValidationErrors(req, res)) return if (!await doesVideoExist(req.params.videoId, res)) return - if (!isVideoCommentsEnabled(res.locals.video, res)) return - if (!await doesVideoCommentExist(req.params.commentId, res.locals.video, res)) return + + if (!await checkCanSeeVideo({ req, res, paramId: req.params.videoId, video: res.locals.videoAll })) return + + if (!isVideoCommentsEnabled(res.locals.videoAll, res)) return + if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return + if (!await isVideoCommentAccepted(req, res, res.locals.videoAll, true)) return return next() } ] const videoCommentGetValidator = [ - param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'), - param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'), + isValidVideoIdParam('videoId'), - async (req: express.Request, res: express.Response, next: express.NextFunction) => { - logger.debug('Checking videoCommentGetValidator parameters.', { parameters: req.params }) + param('commentId') + .custom(isIdValid), + async (req: express.Request, res: express.Response, next: express.NextFunction) => { if (areValidationErrors(req, res)) return if (!await doesVideoExist(req.params.videoId, res, 'id')) return - if (!await doesVideoCommentExist(req.params.commentId, res.locals.video, res)) return + if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoId, res)) return return next() } ] const removeVideoCommentValidator = [ - param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'), - param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'), + isValidVideoIdParam('videoId'), - async (req: express.Request, res: express.Response, next: express.NextFunction) => { - logger.debug('Checking removeVideoCommentValidator parameters.', { parameters: req.params }) + param('commentId') + .custom(isIdValid), + async (req: express.Request, res: express.Response, next: express.NextFunction) => { if (areValidationErrors(req, res)) return if (!await doesVideoExist(req.params.videoId, res)) return - if (!await doesVideoCommentExist(req.params.commentId, res.locals.video, res)) return + if (!await doesVideoCommentExist(req.params.commentId, res.locals.videoAll, res)) return // Check if the user who did the request is able to delete the video - if (!checkUserCanDeleteVideoComment(res.locals.oauth.token.User, res.locals.videoComment, res)) return + if (!checkUserCanDeleteVideoComment(res.locals.oauth.token.User, res.locals.videoCommentFull, res)) return return next() } @@ -109,6 +158,7 @@ export { listVideoCommentThreadsValidator, listVideoThreadCommentsValidator, addVideoCommentThreadValidator, + listVideoCommentsValidator, addVideoCommentReplyValidator, videoCommentGetValidator, removeVideoCommentValidator @@ -116,78 +166,77 @@ export { // --------------------------------------------------------------------------- -async function doesVideoCommentThreadExist (id: number, video: VideoModel, res: express.Response) { - const videoComment = await VideoCommentModel.loadById(id) - - if (!videoComment) { - res.status(404) - .json({ error: 'Video comment thread not found' }) - .end() - - return false - } - - if (videoComment.videoId !== video.id) { - res.status(400) - .json({ error: 'Video comment is associated to this video.' }) - .end() - - return false - } - - if (videoComment.inReplyToCommentId !== null) { - res.status(400) - .json({ error: 'Video comment is not a thread.' }) - .end() - +function isVideoCommentsEnabled (video: MVideo, res: express.Response) { + if (video.commentsEnabled !== true) { + res.fail({ + status: HttpStatusCode.CONFLICT_409, + message: 'Video comments are disabled for this video.' + }) return false } - res.locals.videoCommentThread = videoComment return true } -async function doesVideoCommentExist (id: number, video: VideoModel, res: express.Response) { - const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id) - - if (!videoComment) { - res.status(404) - .json({ error: 'Video comment thread not found' }) - .end() - +function checkUserCanDeleteVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) { + if (videoComment.isDeleted()) { + res.fail({ + status: HttpStatusCode.CONFLICT_409, + message: 'This comment is already deleted' + }) return false } - if (videoComment.videoId !== video.id) { - res.status(400) - .json({ error: 'Video comment is associated to this video.' }) - .end() - + const userAccount = user.Account + + if ( + user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && // Not a moderator + videoComment.accountId !== userAccount.id && // Not the comment owner + videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner + ) { + res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Cannot remove video comment of another user' + }) return false } - res.locals.videoComment = videoComment return true } -function isVideoCommentsEnabled (video: VideoModel, res: express.Response) { - if (video.commentsEnabled !== true) { - res.status(409) - .json({ error: 'Video comments are disabled for this video.' }) - .end() +async function isVideoCommentAccepted (req: express.Request, res: express.Response, video: MVideoFullLight, isReply: boolean) { + const acceptParameters = { + video, + commentBody: req.body, + user: res.locals.oauth.token.User, + req + } - return false + let acceptedResult: AcceptResult + + if (isReply) { + const acceptReplyParameters = Object.assign(acceptParameters, { parentComment: res.locals.videoCommentFull }) + + acceptedResult = await Hooks.wrapFun( + isLocalVideoCommentReplyAccepted, + acceptReplyParameters, + 'filter:api.video-comment-reply.create.accept.result' + ) + } else { + acceptedResult = await Hooks.wrapFun( + isLocalVideoThreadAccepted, + acceptParameters, + 'filter:api.video-thread.create.accept.result' + ) } - return true -} + if (!acceptedResult || acceptedResult.accepted !== true) { + logger.info('Refused local comment.', { acceptedResult, acceptParameters }) -function checkUserCanDeleteVideoComment (user: UserModel, videoComment: VideoCommentModel, res: express.Response) { - const account = videoComment.Account - if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && account.userId !== user.id) { - res.status(403) - .json({ error: 'Cannot remove video comment of another user' }) - .end() + res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: acceptedResult?.errorMessage || 'Comment has been rejected.' + }) return false }