Give moderators access to edit channels (#4608)

* give admins access to edit all channels closes #4598 * test(channels): +admin update another users channel * Fix tests * fix(server): delete another users channel Since the channel owner isn't necessary the auth user we need to check the right account whether it's the last video or not. * REMOVE_ANY_VIDEO_CHANNEL > MANAGE_ANY_VIDEO_CHANNEL Merge REMOVE_ANY_VIDEO_CHANNEL and MANY_VIDEO_CHANNELS to MANAGE_ANY_VIDEO_CHANNEL. * user-right: moderator can't manage admins channel * client: MyVideoChannelCreateComponent > VideoChannelCreateComponent * client: MyVideoChannelEdit > VideoChannelEdit * Revert "user-right: moderator can't manage admins channel" This reverts commit 2c627c154e2bfe6af2e0f45efb27faf4117572f3. * server: clean dupl validator functionality * fix ensureUserCanManageChannel usage It's not async anymore. * server: merge channel validator middleares ensureAuthUserOwnsChannelValidator & ensureUserCanManageChannel gets merged into one middleware. * client(VideoChannelEdit): redirect to prev route * fix(VideoChannels): handle anon users * client: new routes for create/update channel * Refactor channel validators Co-authored-by: Chocobozzz <me@florianbigard.com>
author: kontrollanten <6680299+kontrollanten@users.noreply.github.com> 2021-12-13 15:29:13 +0100
committer: GitHub <noreply@github.com> 2021-12-13 15:29:13 +0100
commit: a37e9e74ff07b057370d1ed6c0b391a02be8a6d2 (patch)
tree: 30d59e12518149a309bbd10bee1485f8be523c75 /server/middlewares
parent: 11e520b50d791a0dd48cbb2d0fc681b25eb7cd53 (diff)
download: PeerTube-a37e9e74ff07b057370d1ed6c0b391a02be8a6d2.tar.gz
PeerTube-a37e9e74ff07b057370d1ed6c0b391a02be8a6d2.tar.zst
PeerTube-a37e9e74ff07b057370d1ed6c0b391a02be8a6d2.zip
3 files changed, 25 insertions, 59 deletions
diff --git a/server/middlewares/validators/shared/video-channels.ts b/server/middlewares/validators/shared/video-channels.ts
index 7c0c89267..bed9f5dbe 100644
--- a/server/middlewares/validators/shared/video-channels.ts
+++ b/server/middlewares/validators/shared/video-channels.ts
@@ -3,12 +3,6 @@ import { VideoChannelModel } from '@server/models/video/video-channel'
 import { MChannelBannerAccountDefault } from '@server/types/models'
 import { HttpStatusCode } from '@shared/models'
-async function doesLocalVideoChannelNameExist (name: string, res: express.Response) {
-  const videoChannel = await VideoChannelModel.loadLocalByNameAndPopulateAccount(name)
-  return processVideoChannelExist(videoChannel, res)
-}
 async function doesVideoChannelIdExist (id: number, res: express.Response) {
  const videoChannel = await VideoChannelModel.loadAndPopulateAccount(+id)
@@ -24,7 +18,6 @@ async function doesVideoChannelNameWithHostExist (nameWithDomain: string, res: e
 // ---------------------------------------------------------------------------
 export {
-  doesLocalVideoChannelNameExist,
  doesVideoChannelIdExist,
  doesVideoChannelNameWithHostExist
 }
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 33b31d54b..7a6b2ce57 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -3,7 +3,7 @@ import { body, param, query } from 'express-validator'
 import { omit } from 'lodash'
 import { Hooks } from '@server/lib/plugins/hooks'
 import { MUserDefault } from '@server/types/models'
-import { HttpStatusCode, UserRegister, UserRole } from '@shared/models'
+import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models'
 import { isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc'
 import { isThemeNameValid } from '../../helpers/custom-validators/plugins'
 import {
@@ -490,14 +490,17 @@ const ensureAuthUserOwnsAccountValidator = [
  }
 ]
-const ensureAuthUserOwnsChannelValidator = [
+const ensureCanManageChannel = [
  (req: express.Request, res: express.Response, next: express.NextFunction) => {
-    const user = res.locals.oauth.token.User
+    const user = res.locals.oauth.token.user
+    const isUserOwner = res.locals.videoChannel.Account.userId === user.id
+    if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) {
+      const message = `User ${user.username} does not have right to manage channel ${req.params.nameWithHost}.`
-    if (res.locals.videoChannel.Account.userId !== user.id) {
      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
-        message: 'Only owner of this video channel can access this ressource'
+        message
      })
    }
@@ -542,8 +545,8 @@ export {
  usersVerifyEmailValidator,
  userAutocompleteValidator,
  ensureAuthUserOwnsAccountValidator,
-  ensureAuthUserOwnsChannelValidator,
+  ensureCanManageUser,
-  ensureCanManageUser
+  ensureCanManageChannel
 }
 // ---------------------------------------------------------------------------
diff --git a/server/middlewares/validators/videos/video-channels.ts b/server/middlewares/validators/videos/video-channels.ts
index edce48c7f..3bfdebbb1 100644
--- a/server/middlewares/validators/videos/video-channels.ts
+++ b/server/middlewares/validators/videos/video-channels.ts
@@ -1,7 +1,7 @@
 import express from 'express'
 import { body, param, query } from 'express-validator'
-import { MChannelAccountDefault, MUser } from '@server/types/models'
+import { CONFIG } from '@server/initializers/config'
-import { UserRight } from '../../../../shared'
+import { MChannelAccountDefault } from '@server/types/models'
 import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes'
 import { isBooleanValid, toBooleanOrNull } from '../../../helpers/custom-validators/misc'
 import {
@@ -13,8 +13,7 @@ import {
 import { logger } from '../../../helpers/logger'
 import { ActorModel } from '../../../models/actor/actor'
 import { VideoChannelModel } from '../../../models/video/video-channel'
-import { areValidationErrors, doesLocalVideoChannelNameExist, doesVideoChannelNameWithHostExist } from '../shared'
+import { areValidationErrors, doesVideoChannelNameWithHostExist } from '../shared'
-import { CONFIG } from '@server/initializers/config'
 const videoChannelsAddValidator = [
  body('name').custom(isVideoChannelUsernameValid).withMessage('Should have a valid channel name'),
@@ -71,16 +70,10 @@ const videoChannelsUpdateValidator = [
 ]
 const videoChannelsRemoveValidator = [
-  param('nameWithHost').exists().withMessage('Should have an video channel name with host'),
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videoChannelsRemove parameters', { parameters: req.params })
-    if (areValidationErrors(req, res)) return
+    if (!await checkVideoChannelIsNotTheLastOne(res.locals.videoChannel, res)) return
-    if (!await doesVideoChannelNameWithHostExist(req.params.nameWithHost, res)) return
-    if (!checkUserCanDeleteVideoChannel(res.locals.oauth.token.User, res.locals.videoChannel, res)) return
-    if (!await checkVideoChannelIsNotTheLastOne(res)) return
    return next()
  }
@@ -100,14 +93,14 @@ const videoChannelsNameWithHostValidator = [
  }
 ]
-const localVideoChannelValidator = [
+const ensureIsLocalChannel = [
-  param('name').custom(isVideoChannelDisplayNameValid).withMessage('Should have a valid video channel name'),
+  (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (res.locals.videoChannel.Actor.isOwned() === false) {
-  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+      return res.fail({
-    logger.debug('Checking localVideoChannelValidator parameters', { parameters: req.params })
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'This channel is not owned.'
-    if (areValidationErrors(req, res)) return
+      })
-    if (!await doesLocalVideoChannelNameExist(req.params.name, res)) return
+    }
    return next()
  }
@@ -144,38 +137,15 @@ export {
  videoChannelsUpdateValidator,
  videoChannelsRemoveValidator,
  videoChannelsNameWithHostValidator,
+  ensureIsLocalChannel,
  videoChannelsListValidator,
-  localVideoChannelValidator,
  videoChannelStatsValidator
 }
 // ---------------------------------------------------------------------------
-function checkUserCanDeleteVideoChannel (user: MUser, videoChannel: MChannelAccountDefault, res: express.Response) {
+async function checkVideoChannelIsNotTheLastOne (videoChannel: MChannelAccountDefault, res: express.Response) {
-  if (videoChannel.Actor.isOwned() === false) {
+  const count = await VideoChannelModel.countByAccount(videoChannel.Account.id)
-    res.fail({
-      status: HttpStatusCode.FORBIDDEN_403,
-      message: 'Cannot remove video channel of another server.'
-    })
-    return false
-  }
-  // Check if the user can delete the video channel
-  // The user can delete it if s/he is an admin
-  // Or if s/he is the video channel's account
-  if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_CHANNEL) === false && videoChannel.Account.userId !== user.id) {
-    res.fail({
-      status: HttpStatusCode.FORBIDDEN_403,
-      message: 'Cannot remove video channel of another user'
-    })
-    return false
-  }
-  return true
-}
-async function checkVideoChannelIsNotTheLastOne (res: express.Response) {
-  const count = await VideoChannelModel.countByAccount(res.locals.oauth.token.User.Account.id)
  if (count <= 1) {
    res.fail({
author	kontrollanten <6680299+kontrollanten@users.noreply.github.com>	2021-12-13 15:29:13 +0100
committer	GitHub <noreply@github.com>	2021-12-13 15:29:13 +0100
commit	a37e9e74ff07b057370d1ed6c0b391a02be8a6d2 (patch)
tree	30d59e12518149a309bbd10bee1485f8be523c75 /server/middlewares
parent	11e520b50d791a0dd48cbb2d0fc681b25eb7cd53 (diff)
download	PeerTube-a37e9e74ff07b057370d1ed6c0b391a02be8a6d2.tar.gz PeerTube-a37e9e74ff07b057370d1ed6c0b391a02be8a6d2.tar.zst PeerTube-a37e9e74ff07b057370d1ed6c0b391a02be8a6d2.zip

diff --git a/server/middlewares/validators/shared/video-channels.ts b/server/middlewares/validators/shared/video-channels.ts index 7c0c89267..bed9f5dbe 100644 --- a/server/middlewares/validators/shared/video-channels.ts +++ b/server/middlewares/validators/shared/video-channels.ts
@@ -3,12 +3,6 @@ import { VideoChannelModel } from '@server/models/video/video-channel'
3	import { MChannelBannerAccountDefault } from '@server/types/models'	3	import { MChannelBannerAccountDefault } from '@server/types/models'
4	import { HttpStatusCode } from '@shared/models'	4	import { HttpStatusCode } from '@shared/models'
5		5
6	async function doesLocalVideoChannelNameExist (name: string, res: express.Response) {
7	const videoChannel = await VideoChannelModel.loadLocalByNameAndPopulateAccount(name)
8
9	return processVideoChannelExist(videoChannel, res)
10	}
11
12	async function doesVideoChannelIdExist (id: number, res: express.Response) {	6	async function doesVideoChannelIdExist (id: number, res: express.Response) {
13	const videoChannel = await VideoChannelModel.loadAndPopulateAccount(+id)	7	const videoChannel = await VideoChannelModel.loadAndPopulateAccount(+id)
14		8
@@ -24,7 +18,6 @@ async function doesVideoChannelNameWithHostExist (nameWithDomain: string, res: e
24	// ---------------------------------------------------------------------------	18	// ---------------------------------------------------------------------------
25		19
26	export {	20	export {
27	doesLocalVideoChannelNameExist,
28	doesVideoChannelIdExist,	21	doesVideoChannelIdExist,
29	doesVideoChannelNameWithHostExist	22	doesVideoChannelNameWithHostExist
30	}	23	}


diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index 33b31d54b..7a6b2ce57 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts
@@ -3,7 +3,7 @@ import { body, param, query } from 'express-validator'
3	import { omit } from 'lodash'	3	import { omit } from 'lodash'
4	import { Hooks } from '@server/lib/plugins/hooks'	4	import { Hooks } from '@server/lib/plugins/hooks'
5	import { MUserDefault } from '@server/types/models'	5	import { MUserDefault } from '@server/types/models'
6	import { HttpStatusCode, UserRegister, UserRole } from '@shared/models'	6	import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models'
7	import { isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc'	7	import { isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc'
8	import { isThemeNameValid } from '../../helpers/custom-validators/plugins'	8	import { isThemeNameValid } from '../../helpers/custom-validators/plugins'
9	import {	9	import {
@@ -490,14 +490,17 @@ const ensureAuthUserOwnsAccountValidator = [
490	}	490	}
491	]	491	]
492		492
493	const ensureAuthUserOwnsChannelValidator = [	493	const ensureCanManageChannel = [
494	(req: express.Request, res: express.Response, next: express.NextFunction) => {	494	(req: express.Request, res: express.Response, next: express.NextFunction) => {
495	const user = res.locals.oauth.token.User	495	const user = res.locals.oauth.token.user
		496	const isUserOwner = res.locals.videoChannel.Account.userId === user.id
		497
		498	if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) {
		499	const message = `User ${user.username} does not have right to manage channel ${req.params.nameWithHost}.`
496		500
497	if (res.locals.videoChannel.Account.userId !== user.id) {
498	return res.fail({	501	return res.fail({
499	status: HttpStatusCode.FORBIDDEN_403,	502	status: HttpStatusCode.FORBIDDEN_403,
500	message: 'Only owner of this video channel can access this ressource'	503	message
501	})	504	})
502	}	505	}
503		506
@@ -542,8 +545,8 @@ export {
542	usersVerifyEmailValidator,	545	usersVerifyEmailValidator,
543	userAutocompleteValidator,	546	userAutocompleteValidator,
544	ensureAuthUserOwnsAccountValidator,	547	ensureAuthUserOwnsAccountValidator,
545	ensureAuthUserOwnsChannelValidator,	548	ensureCanManageUser,
546	ensureCanManageUser	549	ensureCanManageChannel
547	}	550	}
548		551
549	// ---------------------------------------------------------------------------	552	// ---------------------------------------------------------------------------


diff --git a/server/middlewares/validators/videos/video-channels.ts b/server/middlewares/validators/videos/video-channels.ts index edce48c7f..3bfdebbb1 100644 --- a/server/middlewares/validators/videos/video-channels.ts +++ b/server/middlewares/validators/videos/video-channels.ts
@@ -1,7 +1,7 @@
1	import express from 'express'	1	import express from 'express'
2	import { body, param, query } from 'express-validator'	2	import { body, param, query } from 'express-validator'
3	import { MChannelAccountDefault, MUser } from '@server/types/models'	3	import { CONFIG } from '@server/initializers/config'
4	import { UserRight } from '../../../../shared'	4	import { MChannelAccountDefault } from '@server/types/models'
5	import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes'	5	import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes'
6	import { isBooleanValid, toBooleanOrNull } from '../../../helpers/custom-validators/misc'	6	import { isBooleanValid, toBooleanOrNull } from '../../../helpers/custom-validators/misc'
7	import {	7	import {
@@ -13,8 +13,7 @@ import {
13	import { logger } from '../../../helpers/logger'	13	import { logger } from '../../../helpers/logger'
14	import { ActorModel } from '../../../models/actor/actor'	14	import { ActorModel } from '../../../models/actor/actor'
15	import { VideoChannelModel } from '../../../models/video/video-channel'	15	import { VideoChannelModel } from '../../../models/video/video-channel'
16	import { areValidationErrors, doesLocalVideoChannelNameExist, doesVideoChannelNameWithHostExist } from '../shared'	16	import { areValidationErrors, doesVideoChannelNameWithHostExist } from '../shared'
17	import { CONFIG } from '@server/initializers/config'
18		17
19	const videoChannelsAddValidator = [	18	const videoChannelsAddValidator = [
20	body('name').custom(isVideoChannelUsernameValid).withMessage('Should have a valid channel name'),	19	body('name').custom(isVideoChannelUsernameValid).withMessage('Should have a valid channel name'),
@@ -71,16 +70,10 @@ const videoChannelsUpdateValidator = [
71	]	70	]
72		71
73	const videoChannelsRemoveValidator = [	72	const videoChannelsRemoveValidator = [
74	param('nameWithHost').exists().withMessage('Should have an video channel name with host'),
75
76	async (req: express.Request, res: express.Response, next: express.NextFunction) => {	73	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
77	logger.debug('Checking videoChannelsRemove parameters', { parameters: req.params })	74	logger.debug('Checking videoChannelsRemove parameters', { parameters: req.params })
78		75
79	if (areValidationErrors(req, res)) return	76	if (!await checkVideoChannelIsNotTheLastOne(res.locals.videoChannel, res)) return
80	if (!await doesVideoChannelNameWithHostExist(req.params.nameWithHost, res)) return
81
82	if (!checkUserCanDeleteVideoChannel(res.locals.oauth.token.User, res.locals.videoChannel, res)) return
83	if (!await checkVideoChannelIsNotTheLastOne(res)) return
84		77
85	return next()	78	return next()
86	}	79	}
@@ -100,14 +93,14 @@ const videoChannelsNameWithHostValidator = [
100	}	93	}
101	]	94	]
102		95
103	const localVideoChannelValidator = [	96	const ensureIsLocalChannel = [
104	param('name').custom(isVideoChannelDisplayNameValid).withMessage('Should have a valid video channel name'),	97	(req: express.Request, res: express.Response, next: express.NextFunction) => {
105		98	if (res.locals.videoChannel.Actor.isOwned() === false) {
106	async (req: express.Request, res: express.Response, next: express.NextFunction) => {	99	return res.fail({
107	logger.debug('Checking localVideoChannelValidator parameters', { parameters: req.params })	100	status: HttpStatusCode.FORBIDDEN_403,
108		101	message: 'This channel is not owned.'
109	if (areValidationErrors(req, res)) return	102	})
110	if (!await doesLocalVideoChannelNameExist(req.params.name, res)) return	103	}
111		104
112	return next()	105	return next()
113	}	106	}
@@ -144,38 +137,15 @@ export {
144	videoChannelsUpdateValidator,	137	videoChannelsUpdateValidator,
145	videoChannelsRemoveValidator,	138	videoChannelsRemoveValidator,
146	videoChannelsNameWithHostValidator,	139	videoChannelsNameWithHostValidator,
		140	ensureIsLocalChannel,
147	videoChannelsListValidator,	141	videoChannelsListValidator,
148	localVideoChannelValidator,
149	videoChannelStatsValidator	142	videoChannelStatsValidator
150	}	143	}
151		144
152	// ---------------------------------------------------------------------------	145	// ---------------------------------------------------------------------------
153		146
154	function checkUserCanDeleteVideoChannel (user: MUser, videoChannel: MChannelAccountDefault, res: express.Response) {	147	async function checkVideoChannelIsNotTheLastOne (videoChannel: MChannelAccountDefault, res: express.Response) {
155	if (videoChannel.Actor.isOwned() === false) {	148	const count = await VideoChannelModel.countByAccount(videoChannel.Account.id)
156	res.fail({
157	status: HttpStatusCode.FORBIDDEN_403,
158	message: 'Cannot remove video channel of another server.'
159	})
160	return false
161	}
162
163	// Check if the user can delete the video channel
164	// The user can delete it if s/he is an admin
165	// Or if s/he is the video channel's account
166	if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_CHANNEL) === false && videoChannel.Account.userId !== user.id) {
167	res.fail({
168	status: HttpStatusCode.FORBIDDEN_403,
169	message: 'Cannot remove video channel of another user'
170	})
171	return false
172	}
173
174	return true
175	}
176
177	async function checkVideoChannelIsNotTheLastOne (res: express.Response) {
178	const count = await VideoChannelModel.countByAccount(res.locals.oauth.token.User.Account.id)
179		149
180	if (count <= 1) {	150	if (count <= 1) {
181	res.fail({	151	res.fail({