aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2019-07-30 09:59:19 +0200
committerChocobozzz <me@florianbigard.com>2019-07-30 09:59:19 +0200
commita95a4cc89155f448e6f9ca0957170f3c72a9d964 (patch)
treef390fa3eccef0991db5694ef58d6716228a7f67a /server/middlewares
parentdc8902634864841be7ca483b8e1c0f5afa609c32 (diff)
downloadPeerTube-a95a4cc89155f448e6f9ca0957170f3c72a9d964.tar.gz
PeerTube-a95a4cc89155f448e6f9ca0957170f3c72a9d964.tar.zst
PeerTube-a95a4cc89155f448e6f9ca0957170f3c72a9d964.zip
Moderators can only manage users
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/validators/users.ts72
1 files changed, 39 insertions, 33 deletions
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index da92c715d..16d297047 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -30,6 +30,7 @@ import { UserRegister } from '../../../shared/models/users/user-register.model'
30import { isThemeNameValid } from '../../helpers/custom-validators/plugins' 30import { isThemeNameValid } from '../../helpers/custom-validators/plugins'
31import { isThemeRegistered } from '../../lib/plugins/theme-utils' 31import { isThemeRegistered } from '../../lib/plugins/theme-utils'
32import { doesVideoExist } from '../../helpers/middlewares' 32import { doesVideoExist } from '../../helpers/middlewares'
33import { UserRole } from '../../../shared/models/users'
33 34
34const usersAddValidator = [ 35const usersAddValidator = [
35 body('username').custom(isUserUsernameValid).withMessage('Should have a valid username (lowercase alphanumeric characters)'), 36 body('username').custom(isUserUsernameValid).withMessage('Should have a valid username (lowercase alphanumeric characters)'),
@@ -46,6 +47,12 @@ const usersAddValidator = [
46 if (areValidationErrors(req, res)) return 47 if (areValidationErrors(req, res)) return
47 if (!await checkUserNameOrEmailDoesNotAlreadyExist(req.body.username, req.body.email, res)) return 48 if (!await checkUserNameOrEmailDoesNotAlreadyExist(req.body.username, req.body.email, res)) return
48 49
50 const authUser = res.locals.oauth.token.User
51 if (authUser.role !== UserRole.ADMINISTRATOR && req.body.role !== UserRole.USER) {
52 return res.status(403)
53 .json({ error: 'You can only create users (and not administrators or moderators' })
54 }
55
49 return next() 56 return next()
50 } 57 }
51] 58]
@@ -75,21 +82,18 @@ const usersRegisterValidator = [
75 if (body.channel) { 82 if (body.channel) {
76 if (!body.channel.name || !body.channel.displayName) { 83 if (!body.channel.name || !body.channel.displayName) {
77 return res.status(400) 84 return res.status(400)
78 .send({ error: 'Channel is optional but if you specify it, channel.name and channel.displayName are required.' }) 85 .json({ error: 'Channel is optional but if you specify it, channel.name and channel.displayName are required.' })
79 .end()
80 } 86 }
81 87
82 if (body.channel.name === body.username) { 88 if (body.channel.name === body.username) {
83 return res.status(400) 89 return res.status(400)
84 .send({ error: 'Channel name cannot be the same than user username.' }) 90 .json({ error: 'Channel name cannot be the same than user username.' })
85 .end()
86 } 91 }
87 92
88 const existing = await ActorModel.loadLocalByName(body.channel.name) 93 const existing = await ActorModel.loadLocalByName(body.channel.name)
89 if (existing) { 94 if (existing) {
90 return res.status(409) 95 return res.status(409)
91 .send({ error: `Channel with name ${body.channel.name} already exists.` }) 96 .json({ error: `Channel with name ${body.channel.name} already exists.` })
92 .end()
93 } 97 }
94 } 98 }
95 99
@@ -109,8 +113,7 @@ const usersRemoveValidator = [
109 const user = res.locals.user 113 const user = res.locals.user
110 if (user.username === 'root') { 114 if (user.username === 'root') {
111 return res.status(400) 115 return res.status(400)
112 .send({ error: 'Cannot remove the root user' }) 116 .json({ error: 'Cannot remove the root user' })
113 .end()
114 } 117 }
115 118
116 return next() 119 return next()
@@ -130,8 +133,7 @@ const usersBlockingValidator = [
130 const user = res.locals.user 133 const user = res.locals.user
131 if (user.username === 'root') { 134 if (user.username === 'root') {
132 return res.status(400) 135 return res.status(400)
133 .send({ error: 'Cannot block the root user' }) 136 .json({ error: 'Cannot block the root user' })
134 .end()
135 } 137 }
136 138
137 return next() 139 return next()
@@ -143,7 +145,7 @@ const deleteMeValidator = [
143 const user = res.locals.oauth.token.User 145 const user = res.locals.oauth.token.User
144 if (user.username === 'root') { 146 if (user.username === 'root') {
145 return res.status(400) 147 return res.status(400)
146 .send({ error: 'You cannot delete your root account.' }) 148 .json({ error: 'You cannot delete your root account.' })
147 .end() 149 .end()
148 } 150 }
149 151
@@ -170,8 +172,7 @@ const usersUpdateValidator = [
170 const user = res.locals.user 172 const user = res.locals.user
171 if (user.username === 'root' && req.body.role !== undefined && user.role !== req.body.role) { 173 if (user.username === 'root' && req.body.role !== undefined && user.role !== req.body.role) {
172 return res.status(400) 174 return res.status(400)
173 .send({ error: 'Cannot change root role.' }) 175 .json({ error: 'Cannot change root role.' })
174 .end()
175 } 176 }
176 177
177 return next() 178 return next()
@@ -216,15 +217,14 @@ const usersUpdateMeValidator = [
216 if (req.body.password || req.body.email) { 217 if (req.body.password || req.body.email) {
217 if (!req.body.currentPassword) { 218 if (!req.body.currentPassword) {
218 return res.status(400) 219 return res.status(400)
219 .send({ error: 'currentPassword parameter is missing.' }) 220 .json({ error: 'currentPassword parameter is missing.' })
220 .end() 221 .end()
221 } 222 }
222 223
223 const user = res.locals.oauth.token.User 224 const user = res.locals.oauth.token.User
224 if (await user.isPasswordMatch(req.body.currentPassword) !== true) { 225 if (await user.isPasswordMatch(req.body.currentPassword) !== true) {
225 return res.status(401) 226 return res.status(401)
226 .send({ error: 'currentPassword is invalid.' }) 227 .json({ error: 'currentPassword is invalid.' })
227 .end()
228 } 228 }
229 } 229 }
230 230
@@ -265,8 +265,7 @@ const ensureUserRegistrationAllowed = [
265 const allowed = await isSignupAllowed() 265 const allowed = await isSignupAllowed()
266 if (allowed === false) { 266 if (allowed === false) {
267 return res.status(403) 267 return res.status(403)
268 .send({ error: 'User registration is not enabled or user limit is reached.' }) 268 .json({ error: 'User registration is not enabled or user limit is reached.' })
269 .end()
270 } 269 }
271 270
272 return next() 271 return next()
@@ -279,8 +278,7 @@ const ensureUserRegistrationAllowedForIP = [
279 278
280 if (allowed === false) { 279 if (allowed === false) {
281 return res.status(403) 280 return res.status(403)
282 .send({ error: 'You are not on a network authorized for registration.' }) 281 .json({ error: 'You are not on a network authorized for registration.' })
283 .end()
284 } 282 }
285 283
286 return next() 284 return next()
@@ -323,8 +321,7 @@ const usersResetPasswordValidator = [
323 if (redisVerificationString !== req.body.verificationString) { 321 if (redisVerificationString !== req.body.verificationString) {
324 return res 322 return res
325 .status(403) 323 .status(403)
326 .send({ error: 'Invalid verification string.' }) 324 .json({ error: 'Invalid verification string.' })
327 .end()
328 } 325 }
329 326
330 return next() 327 return next()
@@ -371,8 +368,7 @@ const usersVerifyEmailValidator = [
371 if (redisVerificationString !== req.body.verificationString) { 368 if (redisVerificationString !== req.body.verificationString) {
372 return res 369 return res
373 .status(403) 370 .status(403)
374 .send({ error: 'Invalid verification string.' }) 371 .json({ error: 'Invalid verification string.' })
375 .end()
376 } 372 }
377 373
378 return next() 374 return next()
@@ -389,14 +385,26 @@ const ensureAuthUserOwnsAccountValidator = [
389 385
390 if (res.locals.account.id !== user.Account.id) { 386 if (res.locals.account.id !== user.Account.id) {
391 return res.status(403) 387 return res.status(403)
392 .send({ error: 'Only owner can access ratings list.' }) 388 .json({ error: 'Only owner can access ratings list.' })
393 .end()
394 } 389 }
395 390
396 return next() 391 return next()
397 } 392 }
398] 393]
399 394
395const ensureCanManageUser = [
396 (req: express.Request, res: express.Response, next: express.NextFunction) => {
397 const authUser = res.locals.oauth.token.User
398 const onUser = res.locals.user
399
400 if (authUser.role === UserRole.ADMINISTRATOR) return next()
401 if (authUser.role === UserRole.MODERATOR && onUser.role === UserRole.USER) return next()
402
403 return res.status(403)
404 .json({ error: 'A moderator can only manager users.' })
405 }
406]
407
400// --------------------------------------------------------------------------- 408// ---------------------------------------------------------------------------
401 409
402export { 410export {
@@ -416,7 +424,8 @@ export {
416 usersAskSendVerifyEmailValidator, 424 usersAskSendVerifyEmailValidator,
417 usersVerifyEmailValidator, 425 usersVerifyEmailValidator,
418 userAutocompleteValidator, 426 userAutocompleteValidator,
419 ensureAuthUserOwnsAccountValidator 427 ensureAuthUserOwnsAccountValidator,
428 ensureCanManageUser
420} 429}
421 430
422// --------------------------------------------------------------------------- 431// ---------------------------------------------------------------------------
@@ -434,16 +443,14 @@ async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email:
434 443
435 if (user) { 444 if (user) {
436 res.status(409) 445 res.status(409)
437 .send({ error: 'User with this username or email already exists.' }) 446 .json({ error: 'User with this username or email already exists.' })
438 .end()
439 return false 447 return false
440 } 448 }
441 449
442 const actor = await ActorModel.loadLocalByName(username) 450 const actor = await ActorModel.loadLocalByName(username)
443 if (actor) { 451 if (actor) {
444 res.status(409) 452 res.status(409)
445 .send({ error: 'Another actor (account/channel) with this name on this instance already exists or has already existed.' }) 453 .json({ error: 'Another actor (account/channel) with this name on this instance already exists or has already existed.' })
446 .end()
447 return false 454 return false
448 } 455 }
449 456
@@ -456,8 +463,7 @@ async function checkUserExist (finder: () => Bluebird<UserModel>, res: express.R
456 if (!user) { 463 if (!user) {
457 if (abortResponse === true) { 464 if (abortResponse === true) {
458 res.status(404) 465 res.status(404)
459 .send({ error: 'User not found' }) 466 .json({ error: 'User not found' })
460 .end()
461 } 467 }
462 468
463 return false 469 return false