From d4d9bbc6f24522f5d63b0ab105a02f80ca98d702 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Wed, 7 Sep 2022 17:18:29 +0200
Subject: [PATCH] Fix channel sync right check

---
 server/controllers/api/accounts.ts           |  6 +++---
 server/controllers/api/users/index.ts        | 10 +++++-----
 server/controllers/api/video-channel-sync.ts |  6 +++---
 server/controllers/api/video-channel.ts      | 18 +++++++++---------
 server/middlewares/validators/users.ts       | 15 ++++++++-------
 5 files changed, 28 insertions(+), 27 deletions(-)

diff --git a/server/controllers/api/accounts.ts b/server/controllers/api/accounts.ts
index 7a530cde5..2d86d393c 100644
--- a/server/controllers/api/accounts.ts
+++ b/server/controllers/api/accounts.ts
@@ -3,6 +3,7 @@ import { pickCommonVideoQuery } from '@server/helpers/query'
 import { ActorFollowModel } from '@server/models/actor/actor-follow'
 import { getServerActor } from '@server/models/application/application'
 import { guessAdditionalAttributesFromQuery } from '@server/models/video/formatter/video-format-utils'
+import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync'
 import { buildNSFWFilter, getCountVideos, isUserAbleToSearchRemoteURI } from '../../helpers/express-utils'
 import { getFormattedObjects } from '../../helpers/utils'
 import { JobQueue } from '../../lib/job-queue'
@@ -25,7 +26,7 @@ import {
   accountsFollowersSortValidator,
   accountsSortValidator,
   ensureAuthUserOwnsAccountValidator,
-  ensureCanManageUser,
+  ensureCanManageChannelOrAccount,
   videoChannelsSortValidator,
   videoChannelStatsValidator,
   videoChannelSyncsSortValidator,
@@ -37,7 +38,6 @@ import { AccountVideoRateModel } from '../../models/account/account-video-rate'
 import { VideoModel } from '../../models/video/video'
 import { VideoChannelModel } from '../../models/video/video-channel'
 import { VideoPlaylistModel } from '../../models/video/video-playlist'
-import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync'
 
 const accountsRouter = express.Router()
 
@@ -78,7 +78,7 @@ accountsRouter.get('/:accountName/video-channels',
 accountsRouter.get('/:accountName/video-channel-syncs',
   authenticate,
   asyncMiddleware(accountNameWithHostGetValidator),
-  ensureCanManageUser,
+  ensureCanManageChannelOrAccount,
   paginationValidator,
   videoChannelSyncsSortValidator,
   setDefaultSort,
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index 7761ba602..0b27d5277 100644
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -36,7 +36,7 @@ import {
   usersUpdateValidator
 } from '../../../middlewares'
 import {
-  ensureCanManageUser,
+  ensureCanModerateUser,
   usersAskResetPasswordValidator,
   usersAskSendVerifyEmailValidator,
   usersBlockingValidator,
@@ -95,14 +95,14 @@ usersRouter.post('/:id/block',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersBlockingValidator),
-  ensureCanManageUser,
+  ensureCanModerateUser,
   asyncMiddleware(blockUser)
 )
 usersRouter.post('/:id/unblock',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersBlockingValidator),
-  ensureCanManageUser,
+  ensureCanModerateUser,
   asyncMiddleware(unblockUser)
 )
 
@@ -132,7 +132,7 @@ usersRouter.put('/:id',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersUpdateValidator),
-  ensureCanManageUser,
+  ensureCanModerateUser,
   asyncMiddleware(updateUser)
 )
 
@@ -140,7 +140,7 @@ usersRouter.delete('/:id',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersRemoveValidator),
-  ensureCanManageUser,
+  ensureCanModerateUser,
   asyncMiddleware(removeUser)
 )
 
diff --git a/server/controllers/api/video-channel-sync.ts b/server/controllers/api/video-channel-sync.ts
index c2770b8e4..03c54b59c 100644
--- a/server/controllers/api/video-channel-sync.ts
+++ b/server/controllers/api/video-channel-sync.ts
@@ -5,7 +5,7 @@ import {
   asyncMiddleware,
   asyncRetryTransactionMiddleware,
   authenticate,
-  ensureCanManageChannel as ensureCanManageSyncedChannel,
+  ensureCanManageChannelOrAccount,
   ensureSyncExists,
   ensureSyncIsEnabled,
   videoChannelSyncValidator
@@ -21,14 +21,14 @@ videoChannelSyncRouter.post('/',
   authenticate,
   ensureSyncIsEnabled,
   asyncMiddleware(videoChannelSyncValidator),
-  ensureCanManageSyncedChannel,
+  ensureCanManageChannelOrAccount,
   asyncRetryTransactionMiddleware(createVideoChannelSync)
 )
 
 videoChannelSyncRouter.delete('/:id',
   authenticate,
   asyncMiddleware(ensureSyncExists),
-  ensureCanManageSyncedChannel,
+  ensureCanManageChannelOrAccount,
   asyncRetryTransactionMiddleware(removeVideoChannelSync)
 )
 
diff --git a/server/controllers/api/video-channel.ts b/server/controllers/api/video-channel.ts
index 94285a78d..d7c92952a 100644
--- a/server/controllers/api/video-channel.ts
+++ b/server/controllers/api/video-channel.ts
@@ -23,7 +23,7 @@ import {
   asyncRetryTransactionMiddleware,
   authenticate,
   commonVideosFiltersValidator,
-  ensureCanManageChannel,
+  ensureCanManageChannelOrAccount,
   optionalAuthenticate,
   paginationValidator,
   setDefaultPagination,
@@ -77,7 +77,7 @@ videoChannelRouter.post('/:nameWithHost/avatar/pick',
   reqAvatarFile,
   asyncMiddleware(videoChannelsNameWithHostValidator),
   ensureIsLocalChannel,
-  ensureCanManageChannel,
+  ensureCanManageChannelOrAccount,
   updateAvatarValidator,
   asyncMiddleware(updateVideoChannelAvatar)
 )
@@ -87,7 +87,7 @@ videoChannelRouter.post('/:nameWithHost/banner/pick',
   reqBannerFile,
   asyncMiddleware(videoChannelsNameWithHostValidator),
   ensureIsLocalChannel,
-  ensureCanManageChannel,
+  ensureCanManageChannelOrAccount,
   updateBannerValidator,
   asyncMiddleware(updateVideoChannelBanner)
 )
@@ -96,7 +96,7 @@ videoChannelRouter.delete('/:nameWithHost/avatar',
   authenticate,
   asyncMiddleware(videoChannelsNameWithHostValidator),
   ensureIsLocalChannel,
-  ensureCanManageChannel,
+  ensureCanManageChannelOrAccount,
   asyncMiddleware(deleteVideoChannelAvatar)
 )
 
@@ -104,7 +104,7 @@ videoChannelRouter.delete('/:nameWithHost/banner',
   authenticate,
   asyncMiddleware(videoChannelsNameWithHostValidator),
   ensureIsLocalChannel,
-  ensureCanManageChannel,
+  ensureCanManageChannelOrAccount,
   asyncMiddleware(deleteVideoChannelBanner)
 )
 
@@ -112,7 +112,7 @@ videoChannelRouter.put('/:nameWithHost',
   authenticate,
   asyncMiddleware(videoChannelsNameWithHostValidator),
   ensureIsLocalChannel,
-  ensureCanManageChannel,
+  ensureCanManageChannelOrAccount,
   videoChannelsUpdateValidator,
   asyncRetryTransactionMiddleware(updateVideoChannel)
 )
@@ -121,7 +121,7 @@ videoChannelRouter.delete('/:nameWithHost',
   authenticate,
   asyncMiddleware(videoChannelsNameWithHostValidator),
   ensureIsLocalChannel,
-  ensureCanManageChannel,
+  ensureCanManageChannelOrAccount,
   asyncMiddleware(videoChannelsRemoveValidator),
   asyncRetryTransactionMiddleware(removeVideoChannel)
 )
@@ -155,7 +155,7 @@ videoChannelRouter.get('/:nameWithHost/videos',
 videoChannelRouter.get('/:nameWithHost/followers',
   authenticate,
   asyncMiddleware(videoChannelsNameWithHostValidator),
-  ensureCanManageChannel,
+  ensureCanManageChannelOrAccount,
   paginationValidator,
   videoChannelsFollowersSortValidator,
   setDefaultSort,
@@ -168,7 +168,7 @@ videoChannelRouter.post('/:nameWithHost/import-videos',
   asyncMiddleware(videoChannelsNameWithHostValidator),
   asyncMiddleware(videoChannelImportVideosValidator),
   ensureIsLocalChannel,
-  ensureCanManageChannel,
+  ensureCanManageChannelOrAccount,
   asyncMiddleware(ensureChannelOwnerCanUpload),
   asyncMiddleware(importVideosInChannel)
 )
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 282034f6d..2de5265fb 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -507,13 +507,14 @@ const ensureAuthUserOwnsAccountValidator = [
   }
 ]
 
-const ensureCanManageChannel = [
+const ensureCanManageChannelOrAccount = [
   (req: express.Request, res: express.Response, next: express.NextFunction) => {
     const user = res.locals.oauth.token.user
-    const isUserOwner = res.locals.videoChannel.Account.userId === user.id
+    const account = res.locals.videoChannel?.Account ?? res.locals.account
+    const isUserOwner = account.userId === user.id
 
     if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) {
-      const message = `User ${user.username} does not have right to manage channel ${req.params.nameWithHost}.`
+      const message = `User ${user.username} does not have right this channel or account.`
 
       return res.fail({
         status: HttpStatusCode.FORBIDDEN_403,
@@ -525,7 +526,7 @@ const ensureCanManageChannel = [
   }
 ]
 
-const ensureCanManageUser = [
+const ensureCanModerateUser = [
   (req: express.Request, res: express.Response, next: express.NextFunction) => {
     const authUser = res.locals.oauth.token.User
     const onUser = res.locals.user
@@ -535,7 +536,7 @@ const ensureCanManageUser = [
 
     return res.fail({
       status: HttpStatusCode.FORBIDDEN_403,
-      message: 'A moderator can only manager users.'
+      message: 'A moderator can only manage users.'
     })
   }
 ]
@@ -562,8 +563,8 @@ export {
   usersVerifyEmailValidator,
   userAutocompleteValidator,
   ensureAuthUserOwnsAccountValidator,
-  ensureCanManageUser,
-  ensureCanManageChannel
+  ensureCanModerateUser,
+  ensureCanManageChannelOrAccount
 }
 
 // ---------------------------------------------------------------------------
-- 
2.41.0