From f8aa0154b6638cee878db312918b03332d49e458 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Wed, 20 Jan 2021 23:39:51 +0100
Subject: [PATCH] Forbid video deletion or ownership change for non-admin

---
 .../app/+my-library/my-videos/my-videos.component.html |  4 ----
 .../app/+my-library/my-videos/my-videos.component.ts   | 10 ----------
 client/src/app/shared/shared-main/video/video.model.ts |  2 +-
 server/controllers/api/videos/index.ts                 |  3 +++
 4 files changed, 4 insertions(+), 15 deletions(-)

diff --git a/client/src/app/+my-library/my-videos/my-videos.component.html b/client/src/app/+my-library/my-videos/my-videos.component.html
index 977f7b03b..7f9fc9de8 100644
--- a/client/src/app/+my-library/my-videos/my-videos.component.html
+++ b/client/src/app/+my-library/my-videos/my-videos.component.html
@@ -38,10 +38,6 @@
   #videosSelection
 >
   <ng-template ptTemplate="globalButtons">
-    <span class="action-button action-button-delete-selection" (click)="deleteSelectedVideos()">
-      <my-global-icon iconName="delete" aria-hidden="true"></my-global-icon>
-      <ng-container i18n>Delete</ng-container>
-    </span>
   </ng-template>
 
   <ng-template ptTemplate="rowButtons" let-video>
diff --git a/client/src/app/+my-library/my-videos/my-videos.component.ts b/client/src/app/+my-library/my-videos/my-videos.component.ts
index e89bb12e1..990f85693 100644
--- a/client/src/app/+my-library/my-videos/my-videos.component.ts
+++ b/client/src/app/+my-library/my-videos/my-videos.component.ts
@@ -162,16 +162,6 @@ export class MyVideosComponent implements OnInit, DisableForReuseHook {
         handler: ({ video }) => this.displayLiveInformation(video),
         isDisplayed: ({ video }) => video.isLive,
         iconName: 'live'
-      },
-      {
-        label: $localize`Change ownership`,
-        handler: ({ video }) => this.changeOwnership(video),
-        iconName: 'ownership-change'
-      },
-      {
-        label: $localize`Delete`,
-        handler: ({ video }) => this.deleteVideo(video),
-        iconName: 'delete'
       }
     ]
   }
diff --git a/client/src/app/shared/shared-main/video/video.model.ts b/client/src/app/shared/shared-main/video/video.model.ts
index adb6e884f..d51dfbc6d 100644
--- a/client/src/app/shared/shared-main/video/video.model.ts
+++ b/client/src/app/shared/shared-main/video/video.model.ts
@@ -180,7 +180,7 @@ export class Video implements VideoServerModel {
   }
 
   isRemovableBy (user: AuthUser) {
-    return user && this.isLocal === true && (this.account.name === user.username || user.hasRight(UserRight.REMOVE_ANY_VIDEO))
+    return user && this.isLocal === true && user.hasRight(UserRight.REMOVE_ANY_VIDEO)
   }
 
   isBlockableBy (user: AuthUser) {
diff --git a/server/controllers/api/videos/index.ts b/server/controllers/api/videos/index.ts
index e1c775180..1cbefc3e5 100644
--- a/server/controllers/api/videos/index.ts
+++ b/server/controllers/api/videos/index.ts
@@ -41,6 +41,7 @@ import {
   asyncMiddleware,
   asyncRetryTransactionMiddleware,
   authenticate,
+  ensureUserHasRight,
   checkVideoFollowConstraints,
   commonVideosFiltersValidator,
   optionalAuthenticate,
@@ -56,6 +57,7 @@ import {
   videosUpdateValidator
 } from '../../../middlewares'
 import { ScheduleVideoUpdateModel } from '../../../models/video/schedule-video-update'
+import { UserRight } from '../../../../shared'
 import { VideoModel } from '../../../models/video/video'
 import { VideoFileModel } from '../../../models/video/video-file'
 import { blacklistRouter } from './blacklist'
@@ -146,6 +148,7 @@ videosRouter.post('/:id/views',
 
 videosRouter.delete('/:id',
   authenticate,
+  ensureUserHasRight(UserRight.REMOVE_ANY_VIDEO),
   asyncMiddleware(videosRemoveValidator),
   asyncRetryTransactionMiddleware(removeVideo)
 )
-- 
2.41.0