diff options
| author | Chocobozzz <me@florianbigard.com> | 2022-09-07 17:18:29 +0200 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2022-09-08 08:41:48 +0200 |
| commit | d4d9bbc6f24522f5d63b0ab105a02f80ca98d702 (patch) | |
| tree | 9e7e5e5170cea36a489f6c988df892a34c886937 | |
| parent | 8b69f9f02879ee3cf72bc9d4aa96cc71f18e6eea (diff) | |
| download | PeerTube-d4d9bbc6f24522f5d63b0ab105a02f80ca98d702.tar.gz PeerTube-d4d9bbc6f24522f5d63b0ab105a02f80ca98d702.tar.zst PeerTube-d4d9bbc6f24522f5d63b0ab105a02f80ca98d702.zip | |
Fix channel sync right check
| -rw-r--r-- | server/controllers/api/accounts.ts | 6 | ||||
| -rw-r--r-- | server/controllers/api/users/index.ts | 10 | ||||
| -rw-r--r-- | server/controllers/api/video-channel-sync.ts | 6 | ||||
| -rw-r--r-- | server/controllers/api/video-channel.ts | 18 | ||||
| -rw-r--r-- | server/middlewares/validators/users.ts | 15 |
5 files changed, 28 insertions, 27 deletions
diff --git a/server/controllers/api/accounts.ts b/server/controllers/api/accounts.ts index 7a530cde5..2d86d393c 100644 --- a/server/controllers/api/accounts.ts +++ b/server/controllers/api/accounts.ts | |||
| @@ -3,6 +3,7 @@ import { pickCommonVideoQuery } from '@server/helpers/query' | |||
| 3 | import { ActorFollowModel } from '@server/models/actor/actor-follow' | 3 | import { ActorFollowModel } from '@server/models/actor/actor-follow' |
| 4 | import { getServerActor } from '@server/models/application/application' | 4 | import { getServerActor } from '@server/models/application/application' |
| 5 | import { guessAdditionalAttributesFromQuery } from '@server/models/video/formatter/video-format-utils' | 5 | import { guessAdditionalAttributesFromQuery } from '@server/models/video/formatter/video-format-utils' |
| 6 | import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync' | ||
| 6 | import { buildNSFWFilter, getCountVideos, isUserAbleToSearchRemoteURI } from '../../helpers/express-utils' | 7 | import { buildNSFWFilter, getCountVideos, isUserAbleToSearchRemoteURI } from '../../helpers/express-utils' |
| 7 | import { getFormattedObjects } from '../../helpers/utils' | 8 | import { getFormattedObjects } from '../../helpers/utils' |
| 8 | import { JobQueue } from '../../lib/job-queue' | 9 | import { JobQueue } from '../../lib/job-queue' |
| @@ -25,7 +26,7 @@ import { | |||
| 25 | accountsFollowersSortValidator, | 26 | accountsFollowersSortValidator, |
| 26 | accountsSortValidator, | 27 | accountsSortValidator, |
| 27 | ensureAuthUserOwnsAccountValidator, | 28 | ensureAuthUserOwnsAccountValidator, |
| 28 | ensureCanManageUser, | 29 | ensureCanManageChannelOrAccount, |
| 29 | videoChannelsSortValidator, | 30 | videoChannelsSortValidator, |
| 30 | videoChannelStatsValidator, | 31 | videoChannelStatsValidator, |
| 31 | videoChannelSyncsSortValidator, | 32 | videoChannelSyncsSortValidator, |
| @@ -37,7 +38,6 @@ import { AccountVideoRateModel } from '../../models/account/account-video-rate' | |||
| 37 | import { VideoModel } from '../../models/video/video' | 38 | import { VideoModel } from '../../models/video/video' |
| 38 | import { VideoChannelModel } from '../../models/video/video-channel' | 39 | import { VideoChannelModel } from '../../models/video/video-channel' |
| 39 | import { VideoPlaylistModel } from '../../models/video/video-playlist' | 40 | import { VideoPlaylistModel } from '../../models/video/video-playlist' |
| 40 | import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync' | ||
| 41 | 41 | ||
| 42 | const accountsRouter = express.Router() | 42 | const accountsRouter = express.Router() |
| 43 | 43 | ||
| @@ -78,7 +78,7 @@ accountsRouter.get('/:accountName/video-channels', | |||
| 78 | accountsRouter.get('/:accountName/video-channel-syncs', | 78 | accountsRouter.get('/:accountName/video-channel-syncs', |
| 79 | authenticate, | 79 | authenticate, |
| 80 | asyncMiddleware(accountNameWithHostGetValidator), | 80 | asyncMiddleware(accountNameWithHostGetValidator), |
| 81 | ensureCanManageUser, | 81 | ensureCanManageChannelOrAccount, |
| 82 | paginationValidator, | 82 | paginationValidator, |
| 83 | videoChannelSyncsSortValidator, | 83 | videoChannelSyncsSortValidator, |
| 84 | setDefaultSort, | 84 | setDefaultSort, |
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts index 7761ba602..0b27d5277 100644 --- a/server/controllers/api/users/index.ts +++ b/server/controllers/api/users/index.ts | |||
| @@ -36,7 +36,7 @@ import { | |||
| 36 | usersUpdateValidator | 36 | usersUpdateValidator |
| 37 | } from '../../../middlewares' | 37 | } from '../../../middlewares' |
| 38 | import { | 38 | import { |
| 39 | ensureCanManageUser, | 39 | ensureCanModerateUser, |
| 40 | usersAskResetPasswordValidator, | 40 | usersAskResetPasswordValidator, |
| 41 | usersAskSendVerifyEmailValidator, | 41 | usersAskSendVerifyEmailValidator, |
| 42 | usersBlockingValidator, | 42 | usersBlockingValidator, |
| @@ -95,14 +95,14 @@ usersRouter.post('/:id/block', | |||
| 95 | authenticate, | 95 | authenticate, |
| 96 | ensureUserHasRight(UserRight.MANAGE_USERS), | 96 | ensureUserHasRight(UserRight.MANAGE_USERS), |
| 97 | asyncMiddleware(usersBlockingValidator), | 97 | asyncMiddleware(usersBlockingValidator), |
| 98 | ensureCanManageUser, | 98 | ensureCanModerateUser, |
| 99 | asyncMiddleware(blockUser) | 99 | asyncMiddleware(blockUser) |
| 100 | ) | 100 | ) |
| 101 | usersRouter.post('/:id/unblock', | 101 | usersRouter.post('/:id/unblock', |
| 102 | authenticate, | 102 | authenticate, |
| 103 | ensureUserHasRight(UserRight.MANAGE_USERS), | 103 | ensureUserHasRight(UserRight.MANAGE_USERS), |
| 104 | asyncMiddleware(usersBlockingValidator), | 104 | asyncMiddleware(usersBlockingValidator), |
| 105 | ensureCanManageUser, | 105 | ensureCanModerateUser, |
| 106 | asyncMiddleware(unblockUser) | 106 | asyncMiddleware(unblockUser) |
| 107 | ) | 107 | ) |
| 108 | 108 | ||
| @@ -132,7 +132,7 @@ usersRouter.put('/:id', | |||
| 132 | authenticate, | 132 | authenticate, |
| 133 | ensureUserHasRight(UserRight.MANAGE_USERS), | 133 | ensureUserHasRight(UserRight.MANAGE_USERS), |
| 134 | asyncMiddleware(usersUpdateValidator), | 134 | asyncMiddleware(usersUpdateValidator), |
| 135 | ensureCanManageUser, | 135 | ensureCanModerateUser, |
| 136 | asyncMiddleware(updateUser) | 136 | asyncMiddleware(updateUser) |
| 137 | ) | 137 | ) |
| 138 | 138 | ||
| @@ -140,7 +140,7 @@ usersRouter.delete('/:id', | |||
| 140 | authenticate, | 140 | authenticate, |
| 141 | ensureUserHasRight(UserRight.MANAGE_USERS), | 141 | ensureUserHasRight(UserRight.MANAGE_USERS), |
| 142 | asyncMiddleware(usersRemoveValidator), | 142 | asyncMiddleware(usersRemoveValidator), |
| 143 | ensureCanManageUser, | 143 | ensureCanModerateUser, |
| 144 | asyncMiddleware(removeUser) | 144 | asyncMiddleware(removeUser) |
| 145 | ) | 145 | ) |
| 146 | 146 | ||
diff --git a/server/controllers/api/video-channel-sync.ts b/server/controllers/api/video-channel-sync.ts index c2770b8e4..03c54b59c 100644 --- a/server/controllers/api/video-channel-sync.ts +++ b/server/controllers/api/video-channel-sync.ts | |||
| @@ -5,7 +5,7 @@ import { | |||
| 5 | asyncMiddleware, | 5 | asyncMiddleware, |
| 6 | asyncRetryTransactionMiddleware, | 6 | asyncRetryTransactionMiddleware, |
| 7 | authenticate, | 7 | authenticate, |
| 8 | ensureCanManageChannel as ensureCanManageSyncedChannel, | 8 | ensureCanManageChannelOrAccount, |
| 9 | ensureSyncExists, | 9 | ensureSyncExists, |
| 10 | ensureSyncIsEnabled, | 10 | ensureSyncIsEnabled, |
| 11 | videoChannelSyncValidator | 11 | videoChannelSyncValidator |
| @@ -21,14 +21,14 @@ videoChannelSyncRouter.post('/', | |||
| 21 | authenticate, | 21 | authenticate, |
| 22 | ensureSyncIsEnabled, | 22 | ensureSyncIsEnabled, |
| 23 | asyncMiddleware(videoChannelSyncValidator), | 23 | asyncMiddleware(videoChannelSyncValidator), |
| 24 | ensureCanManageSyncedChannel, | 24 | ensureCanManageChannelOrAccount, |
| 25 | asyncRetryTransactionMiddleware(createVideoChannelSync) | 25 | asyncRetryTransactionMiddleware(createVideoChannelSync) |
| 26 | ) | 26 | ) |
| 27 | 27 | ||
| 28 | videoChannelSyncRouter.delete('/:id', | 28 | videoChannelSyncRouter.delete('/:id', |
| 29 | authenticate, | 29 | authenticate, |
| 30 | asyncMiddleware(ensureSyncExists), | 30 | asyncMiddleware(ensureSyncExists), |
| 31 | ensureCanManageSyncedChannel, | 31 | ensureCanManageChannelOrAccount, |
| 32 | asyncRetryTransactionMiddleware(removeVideoChannelSync) | 32 | asyncRetryTransactionMiddleware(removeVideoChannelSync) |
| 33 | ) | 33 | ) |
| 34 | 34 | ||
diff --git a/server/controllers/api/video-channel.ts b/server/controllers/api/video-channel.ts index 94285a78d..d7c92952a 100644 --- a/server/controllers/api/video-channel.ts +++ b/server/controllers/api/video-channel.ts | |||
| @@ -23,7 +23,7 @@ import { | |||
| 23 | asyncRetryTransactionMiddleware, | 23 | asyncRetryTransactionMiddleware, |
| 24 | authenticate, | 24 | authenticate, |
| 25 | commonVideosFiltersValidator, | 25 | commonVideosFiltersValidator, |
| 26 | ensureCanManageChannel, | 26 | ensureCanManageChannelOrAccount, |
| 27 | optionalAuthenticate, | 27 | optionalAuthenticate, |
| 28 | paginationValidator, | 28 | paginationValidator, |
| 29 | setDefaultPagination, | 29 | setDefaultPagination, |
| @@ -77,7 +77,7 @@ videoChannelRouter.post('/:nameWithHost/avatar/pick', | |||
| 77 | reqAvatarFile, | 77 | reqAvatarFile, |
| 78 | asyncMiddleware(videoChannelsNameWithHostValidator), | 78 | asyncMiddleware(videoChannelsNameWithHostValidator), |
| 79 | ensureIsLocalChannel, | 79 | ensureIsLocalChannel, |
| 80 | ensureCanManageChannel, | 80 | ensureCanManageChannelOrAccount, |
| 81 | updateAvatarValidator, | 81 | updateAvatarValidator, |
| 82 | asyncMiddleware(updateVideoChannelAvatar) | 82 | asyncMiddleware(updateVideoChannelAvatar) |
| 83 | ) | 83 | ) |
| @@ -87,7 +87,7 @@ videoChannelRouter.post('/:nameWithHost/banner/pick', | |||
| 87 | reqBannerFile, | 87 | reqBannerFile, |
| 88 | asyncMiddleware(videoChannelsNameWithHostValidator), | 88 | asyncMiddleware(videoChannelsNameWithHostValidator), |
| 89 | ensureIsLocalChannel, | 89 | ensureIsLocalChannel, |
| 90 | ensureCanManageChannel, | 90 | ensureCanManageChannelOrAccount, |
| 91 | updateBannerValidator, | 91 | updateBannerValidator, |
| 92 | asyncMiddleware(updateVideoChannelBanner) | 92 | asyncMiddleware(updateVideoChannelBanner) |
| 93 | ) | 93 | ) |
| @@ -96,7 +96,7 @@ videoChannelRouter.delete('/:nameWithHost/avatar', | |||
| 96 | authenticate, | 96 | authenticate, |
| 97 | asyncMiddleware(videoChannelsNameWithHostValidator), | 97 | asyncMiddleware(videoChannelsNameWithHostValidator), |
| 98 | ensureIsLocalChannel, | 98 | ensureIsLocalChannel, |
| 99 | ensureCanManageChannel, | 99 | ensureCanManageChannelOrAccount, |
| 100 | asyncMiddleware(deleteVideoChannelAvatar) | 100 | asyncMiddleware(deleteVideoChannelAvatar) |
| 101 | ) | 101 | ) |
| 102 | 102 | ||
| @@ -104,7 +104,7 @@ videoChannelRouter.delete('/:nameWithHost/banner', | |||
| 104 | authenticate, | 104 | authenticate, |
| 105 | asyncMiddleware(videoChannelsNameWithHostValidator), | 105 | asyncMiddleware(videoChannelsNameWithHostValidator), |
| 106 | ensureIsLocalChannel, | 106 | ensureIsLocalChannel, |
| 107 | ensureCanManageChannel, | 107 | ensureCanManageChannelOrAccount, |
| 108 | asyncMiddleware(deleteVideoChannelBanner) | 108 | asyncMiddleware(deleteVideoChannelBanner) |
| 109 | ) | 109 | ) |
| 110 | 110 | ||
| @@ -112,7 +112,7 @@ videoChannelRouter.put('/:nameWithHost', | |||
| 112 | authenticate, | 112 | authenticate, |
| 113 | asyncMiddleware(videoChannelsNameWithHostValidator), | 113 | asyncMiddleware(videoChannelsNameWithHostValidator), |
| 114 | ensureIsLocalChannel, | 114 | ensureIsLocalChannel, |
| 115 | ensureCanManageChannel, | 115 | ensureCanManageChannelOrAccount, |
| 116 | videoChannelsUpdateValidator, | 116 | videoChannelsUpdateValidator, |
| 117 | asyncRetryTransactionMiddleware(updateVideoChannel) | 117 | asyncRetryTransactionMiddleware(updateVideoChannel) |
| 118 | ) | 118 | ) |
| @@ -121,7 +121,7 @@ videoChannelRouter.delete('/:nameWithHost', | |||
| 121 | authenticate, | 121 | authenticate, |
| 122 | asyncMiddleware(videoChannelsNameWithHostValidator), | 122 | asyncMiddleware(videoChannelsNameWithHostValidator), |
| 123 | ensureIsLocalChannel, | 123 | ensureIsLocalChannel, |
| 124 | ensureCanManageChannel, | 124 | ensureCanManageChannelOrAccount, |
| 125 | asyncMiddleware(videoChannelsRemoveValidator), | 125 | asyncMiddleware(videoChannelsRemoveValidator), |
| 126 | asyncRetryTransactionMiddleware(removeVideoChannel) | 126 | asyncRetryTransactionMiddleware(removeVideoChannel) |
| 127 | ) | 127 | ) |
| @@ -155,7 +155,7 @@ videoChannelRouter.get('/:nameWithHost/videos', | |||
| 155 | videoChannelRouter.get('/:nameWithHost/followers', | 155 | videoChannelRouter.get('/:nameWithHost/followers', |
| 156 | authenticate, | 156 | authenticate, |
| 157 | asyncMiddleware(videoChannelsNameWithHostValidator), | 157 | asyncMiddleware(videoChannelsNameWithHostValidator), |
| 158 | ensureCanManageChannel, | 158 | ensureCanManageChannelOrAccount, |
| 159 | paginationValidator, | 159 | paginationValidator, |
| 160 | videoChannelsFollowersSortValidator, | 160 | videoChannelsFollowersSortValidator, |
| 161 | setDefaultSort, | 161 | setDefaultSort, |
| @@ -168,7 +168,7 @@ videoChannelRouter.post('/:nameWithHost/import-videos', | |||
| 168 | asyncMiddleware(videoChannelsNameWithHostValidator), | 168 | asyncMiddleware(videoChannelsNameWithHostValidator), |
| 169 | asyncMiddleware(videoChannelImportVideosValidator), | 169 | asyncMiddleware(videoChannelImportVideosValidator), |
| 170 | ensureIsLocalChannel, | 170 | ensureIsLocalChannel, |
| 171 | ensureCanManageChannel, | 171 | ensureCanManageChannelOrAccount, |
| 172 | asyncMiddleware(ensureChannelOwnerCanUpload), | 172 | asyncMiddleware(ensureChannelOwnerCanUpload), |
| 173 | asyncMiddleware(importVideosInChannel) | 173 | asyncMiddleware(importVideosInChannel) |
| 174 | ) | 174 | ) |
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index 282034f6d..2de5265fb 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts | |||
| @@ -507,13 +507,14 @@ const ensureAuthUserOwnsAccountValidator = [ | |||
| 507 | } | 507 | } |
| 508 | ] | 508 | ] |
| 509 | 509 | ||
| 510 | const ensureCanManageChannel = [ | 510 | const ensureCanManageChannelOrAccount = [ |
| 511 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | 511 | (req: express.Request, res: express.Response, next: express.NextFunction) => { |
| 512 | const user = res.locals.oauth.token.user | 512 | const user = res.locals.oauth.token.user |
| 513 | const isUserOwner = res.locals.videoChannel.Account.userId === user.id | 513 | const account = res.locals.videoChannel?.Account ?? res.locals.account |
| 514 | const isUserOwner = account.userId === user.id | ||
| 514 | 515 | ||
| 515 | if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) { | 516 | if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) { |
| 516 | const message = `User ${user.username} does not have right to manage channel ${req.params.nameWithHost}.` | 517 | const message = `User ${user.username} does not have right this channel or account.` |
| 517 | 518 | ||
| 518 | return res.fail({ | 519 | return res.fail({ |
| 519 | status: HttpStatusCode.FORBIDDEN_403, | 520 | status: HttpStatusCode.FORBIDDEN_403, |
| @@ -525,7 +526,7 @@ const ensureCanManageChannel = [ | |||
| 525 | } | 526 | } |
| 526 | ] | 527 | ] |
| 527 | 528 | ||
| 528 | const ensureCanManageUser = [ | 529 | const ensureCanModerateUser = [ |
| 529 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | 530 | (req: express.Request, res: express.Response, next: express.NextFunction) => { |
| 530 | const authUser = res.locals.oauth.token.User | 531 | const authUser = res.locals.oauth.token.User |
| 531 | const onUser = res.locals.user | 532 | const onUser = res.locals.user |
| @@ -535,7 +536,7 @@ const ensureCanManageUser = [ | |||
| 535 | 536 | ||
| 536 | return res.fail({ | 537 | return res.fail({ |
| 537 | status: HttpStatusCode.FORBIDDEN_403, | 538 | status: HttpStatusCode.FORBIDDEN_403, |
| 538 | message: 'A moderator can only manager users.' | 539 | message: 'A moderator can only manage users.' |
| 539 | }) | 540 | }) |
| 540 | } | 541 | } |
| 541 | ] | 542 | ] |
| @@ -562,8 +563,8 @@ export { | |||
| 562 | usersVerifyEmailValidator, | 563 | usersVerifyEmailValidator, |
| 563 | userAutocompleteValidator, | 564 | userAutocompleteValidator, |
| 564 | ensureAuthUserOwnsAccountValidator, | 565 | ensureAuthUserOwnsAccountValidator, |
| 565 | ensureCanManageUser, | 566 | ensureCanModerateUser, |
| 566 | ensureCanManageChannel | 567 | ensureCanManageChannelOrAccount |
| 567 | } | 568 | } |
| 568 | 569 | ||
| 569 | // --------------------------------------------------------------------------- | 570 | // --------------------------------------------------------------------------- |