From 2c627c154e2bfe6af2e0f45efb27faf4117572f3 Mon Sep 17 00:00:00 2001
From: kontrollanten <6680299+kontrollanten@users.noreply.github.com>
Date: Thu, 9 Dec 2021 23:58:08 +0100
Subject: [PATCH] user-right: moderator can't manage admins channel

---
 server/middlewares/user-right.ts          | 10 +++++++++-
 server/tests/api/videos/video-channels.ts | 24 ++++++++++++++++++++++-
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/server/middlewares/user-right.ts b/server/middlewares/user-right.ts
index aa623c837..c2a5bbdbe 100644
--- a/server/middlewares/user-right.ts
+++ b/server/middlewares/user-right.ts
@@ -1,5 +1,5 @@
 import express from 'express'
-import { UserRight } from '../../shared'
+import { UserRight, UserRole } from '../../shared'
 import { HttpStatusCode } from '../../shared/models/http/http-error-codes'
 import { logger } from '../helpers/logger'
 
@@ -34,6 +34,14 @@ async function ensureUserCanManageChannel (req: express.Request, res: express.Re
     })
   }
 
+  const onUser = await res.locals.videoChannel.Account.$get('User')
+  if (user.role === UserRole.MODERATOR && onUser.role === UserRole.ADMINISTRATOR) {
+    return res.fail({
+      status: HttpStatusCode.FORBIDDEN_403,
+      message: 'A moderator can\'t manage an admins video channel.'
+    })
+  }
+
   return next()
 }
 
diff --git a/server/tests/api/videos/video-channels.ts b/server/tests/api/videos/video-channels.ts
index 6ab5faa07..25fea4791 100644
--- a/server/tests/api/videos/video-channels.ts
+++ b/server/tests/api/videos/video-channels.ts
@@ -16,7 +16,7 @@ import {
   wait,
   waitJobs
 } from '@shared/extra-utils'
-import { User, VideoChannel } from '@shared/models'
+import { HttpStatusCode, User, UserRole, VideoChannel } from '@shared/models'
 
 const expect = chai.expect
 
@@ -407,6 +407,28 @@ describe('Test video channels', function () {
     expect(body.data[1].displayName).to.equal('video channel updated')
   })
 
+  it('Should not allow moderator to update an admins video channel', async function () {
+    this.timeout(15000)
+
+    const { token: moderatorToken } = await servers[0].users.generate('moderator1', UserRole.MODERATOR)
+    const result = await servers[0].users.generate('admin_user', UserRole.ADMINISTRATOR)
+
+    await servers[0].videos.quickUpload({ name: 'video', token: result.token })
+
+    const videoChannelAttributes = {
+      displayName: 'video channel updated',
+      description: 'video channel description updated',
+      support: 'support updated'
+    }
+
+    await servers[0].channels.update({
+      channelName: result.userChannelName,
+      attributes: videoChannelAttributes,
+      expectedStatus: HttpStatusCode.FORBIDDEN_403,
+      token: moderatorToken
+    })
+  })
+
   it('Should create the main channel with an uuid if there is a conflict', async function () {
     {
       const videoChannel = { name: 'toto_channel', displayName: 'My toto channel' }
-- 
2.41.0