aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2019-08-22 14:46:47 +0200
committerChocobozzz <me@florianbigard.com>2019-08-22 14:46:47 +0200
commitd5c8932a601c1854db0a2e399ccaf26e17385f1a (patch)
tree8c38f9d7772c6a2d22dbeb84a7c4de6aaf345aeb /server/middlewares
parent2a8ae7595c1b7853c47955b4b9ecb4a7f7a68fc0 (diff)
parent820546916cad3ae4cc51eab408aef7bbaff3632f (diff)
downloadPeerTube-d5c8932a601c1854db0a2e399ccaf26e17385f1a.tar.gz
PeerTube-d5c8932a601c1854db0a2e399ccaf26e17385f1a.tar.zst
PeerTube-d5c8932a601c1854db0a2e399ccaf26e17385f1a.zip
Merge branch 'release/1.4.0' into develop
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/csp.ts4
-rw-r--r--server/middlewares/validators/users.ts11
2 files changed, 10 insertions, 5 deletions
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts
index d484b3021..d11d70790 100644
--- a/server/middlewares/csp.ts
+++ b/server/middlewares/csp.ts
@@ -7,8 +7,8 @@ const baseDirectives = Object.assign({},
7 connectSrc: ['*', 'data:'], 7 connectSrc: ['*', 'data:'],
8 mediaSrc: ["'self'", 'https:', 'blob:'], 8 mediaSrc: ["'self'", 'https:', 'blob:'],
9 fontSrc: ["'self'", 'data:'], 9 fontSrc: ["'self'", 'data:'],
10 imgSrc: ["'self'", 'data:'], 10 imgSrc: ["'self'", 'data:', 'blob:'],
11 scriptSrc: ["'self' 'unsafe-inline' 'unsafe-eval'"], 11 scriptSrc: ["'self' 'unsafe-inline' 'unsafe-eval'", 'blob:'],
12 styleSrc: ["'self' 'unsafe-inline'"], 12 styleSrc: ["'self' 'unsafe-inline'"],
13 objectSrc: ["'none'"], // only define to allow plugins, else let defaultSrc 'none' block it 13 objectSrc: ["'none'"], // only define to allow plugins, else let defaultSrc 'none' block it
14 formAction: ["'self'"], 14 formAction: ["'self'"],
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 40dd0f0e9..d51bc27e6 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -39,7 +39,9 @@ const usersAddValidator = [
39 body('email').isEmail().withMessage('Should have a valid email'), 39 body('email').isEmail().withMessage('Should have a valid email'),
40 body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'), 40 body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
41 body('videoQuotaDaily').custom(isUserVideoQuotaDailyValid).withMessage('Should have a valid daily user quota'), 41 body('videoQuotaDaily').custom(isUserVideoQuotaDailyValid).withMessage('Should have a valid daily user quota'),
42 body('role').custom(isUserRoleValid).withMessage('Should have a valid role'), 42 body('role')
43 .customSanitizer(toIntOrNull)
44 .custom(isUserRoleValid).withMessage('Should have a valid role'),
43 body('adminFlags').optional().custom(isUserAdminFlagsValid).withMessage('Should have a valid admin flags'), 45 body('adminFlags').optional().custom(isUserAdminFlagsValid).withMessage('Should have a valid admin flags'),
44 46
45 async (req: express.Request, res: express.Response, next: express.NextFunction) => { 47 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
@@ -51,7 +53,7 @@ const usersAddValidator = [
51 const authUser = res.locals.oauth.token.User 53 const authUser = res.locals.oauth.token.User
52 if (authUser.role !== UserRole.ADMINISTRATOR && req.body.role !== UserRole.USER) { 54 if (authUser.role !== UserRole.ADMINISTRATOR && req.body.role !== UserRole.USER) {
53 return res.status(403) 55 return res.status(403)
54 .json({ error: 'You can only create users (and not administrators or moderators' }) 56 .json({ error: 'You can only create users (and not administrators or moderators)' })
55 } 57 }
56 58
57 return next() 59 return next()
@@ -161,7 +163,10 @@ const usersUpdateValidator = [
161 body('emailVerified').optional().isBoolean().withMessage('Should have a valid email verified attribute'), 163 body('emailVerified').optional().isBoolean().withMessage('Should have a valid email verified attribute'),
162 body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'), 164 body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
163 body('videoQuotaDaily').optional().custom(isUserVideoQuotaDailyValid).withMessage('Should have a valid daily user quota'), 165 body('videoQuotaDaily').optional().custom(isUserVideoQuotaDailyValid).withMessage('Should have a valid daily user quota'),
164 body('role').optional().custom(isUserRoleValid).withMessage('Should have a valid role'), 166 body('role')
167 .optional()
168 .customSanitizer(toIntOrNull)
169 .custom(isUserRoleValid).withMessage('Should have a valid role'),
165 body('adminFlags').optional().custom(isUserAdminFlagsValid).withMessage('Should have a valid admin flags'), 170 body('adminFlags').optional().custom(isUserAdminFlagsValid).withMessage('Should have a valid admin flags'),
166 171
167 async (req: express.Request, res: express.Response, next: express.NextFunction) => { 172 async (req: express.Request, res: express.Response, next: express.NextFunction) => {