aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares/validators
diff options
context:
space:
mode:
authorGreen-Star <Green-Star@users.noreply.github.com>2017-04-26 21:22:10 +0200
committerBigard Florian <florian.bigard@gmail.com>2017-04-26 21:22:10 +0200
commit198b205c10dba362b9ae1ef6895b29d7e0dd685f (patch)
tree3be413139784f7445e775cbecccc6091a738360b /server/middlewares/validators
parent00871a261787ae1ed8446861ba2bd5eea9faca6d (diff)
downloadPeerTube-198b205c10dba362b9ae1ef6895b29d7e0dd685f.tar.gz
PeerTube-198b205c10dba362b9ae1ef6895b29d7e0dd685f.tar.zst
PeerTube-198b205c10dba362b9ae1ef6895b29d7e0dd685f.zip
Add ability for an administrator to remove any video (#61)
* Add ability for an admin to remove every video on the pod. * Server: add BlacklistedVideos relation. * Server: Insert in BlacklistedVideos relation upon deletion of a video. * Server: Modify BlacklistedVideos schema to add Pod id information. * Server: Moving insertion of a blacklisted video from the `afterDestroy` hook into the process of deletion of a video. To avoid inserting a video when it is removed on its origin pod. When a video is removed on its origin pod, the `afterDestroy` hook is fire, but no request is made on the delete('/:videoId') interface. Hence, we insert into `BlacklistedVideos` only on request on delete('/:videoId') (if requirements for insertion are met). * Server: Add removeVideoFromBlacklist hook on deletion of a video. We are going to proceed in another way :). We will add a new route : /:videoId/blacklist to blacklist a video. We do not blacklist a video upon its deletion now (to distinguish a video blacklist from a regular video delete) When we blacklist a video, the video remains in the DB, so we don't have any concern about its update. It just doesn't appear in the video list. When we remove a video, we then have to remove it from the blacklist too. We could also remove a video from the blacklist to 'unremove' it and make it appear again in the video list (will be another feature). * Server: Add handler for new route post(/:videoId/blacklist) * Client: Add isBlacklistable method * Client: Update isRemovableBy method. * Client: Move 'Delete video' feature from the video-list to the video-watch module. * Server: Exclude blacklisted videos from the video list * Server: Use findAll() in BlacklistedVideos.list() method * Server: Fix addVideoToBlacklist function. * Client: Add blacklist feature. * Server: Use JavaScript Standard Style. * Server: In checkUserCanDeleteVideo, move the callback call inside the db callback function * Server: Modify BlacklistVideo relation * Server: Modifiy Videos methods. * Server: Add checkVideoIsBlacklistable method * Server: Rewrite addVideoToBlacklist method * Server: Fix checkVideoIsBlacklistable method * Server: Add return to addVideoToBlacklist method
Diffstat (limited to 'server/middlewares/validators')
-rw-r--r--server/middlewares/validators/videos.js63
1 files changed, 53 insertions, 10 deletions
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index c07825e50..86a7e39ae 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -15,7 +15,9 @@ const validatorsVideos = {
15 15
16 videoAbuseReport, 16 videoAbuseReport,
17 17
18 videoRate 18 videoRate,
19
20 videosBlacklist
19} 21}
20 22
21function videosAdd (req, res, next) { 23function videosAdd (req, res, next) {
@@ -95,15 +97,10 @@ function videosRemove (req, res, next) {
95 checkVideoExists(req.params.id, res, function () { 97 checkVideoExists(req.params.id, res, function () {
96 // We need to make additional checks 98 // We need to make additional checks
97 99
98 if (res.locals.video.isOwned() === false) { 100 // Check if the user who did the request is able to delete the video
99 return res.status(403).send('Cannot remove video of another pod') 101 checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, function () {
100 } 102 next()
101 103 })
102 if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
103 return res.status(403).send('Cannot remove video of another user')
104 }
105
106 next()
107 }) 104 })
108 }) 105 })
109} 106}
@@ -159,3 +156,49 @@ function checkVideoExists (id, res, callback) {
159 callback() 156 callback()
160 }) 157 })
161} 158}
159
160function checkUserCanDeleteVideo (userId, res, callback) {
161 // Retrieve the user who did the request
162 db.User.loadById(userId, function (err, user) {
163 if (err) {
164 logger.error('Error in video request validator.', { error: err })
165 return res.sendStatus(500)
166 }
167
168 // Check if the user can delete the video
169 // The user can delete it if s/he an admin
170 // Or if s/he is the video's author
171 if (user.isAdmin() === false) {
172 if (res.locals.video.isOwned() === false) {
173 return res.status(403).send('Cannot remove video of another pod')
174 }
175
176 if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
177 return res.status(403).send('Cannot remove video of another user')
178 }
179 }
180
181 // If we reach this comment, we can delete the video
182 callback()
183 })
184}
185
186function checkVideoIsBlacklistable (req, res, callback) {
187 if (res.locals.video.isOwned() === true) {
188 return res.status(403).send('Cannot blacklist a local video')
189 }
190
191 callback()
192}
193
194function videosBlacklist (req, res, next) {
195 req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
196
197 logger.debug('Checking videosBlacklist parameters', { parameters: req.params })
198
199 checkErrors(req, res, function () {
200 checkVideoExists(req.params.id, res, function() {
201 checkVideoIsBlacklistable(req, res, next)
202 })
203 })
204}