aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
authorkontrollanten <6680299+kontrollanten@users.noreply.github.com>2021-12-13 15:29:13 +0100
committerGitHub <noreply@github.com>2021-12-13 15:29:13 +0100
commita37e9e74ff07b057370d1ed6c0b391a02be8a6d2 (patch)
tree30d59e12518149a309bbd10bee1485f8be523c75 /server/middlewares
parent11e520b50d791a0dd48cbb2d0fc681b25eb7cd53 (diff)
downloadPeerTube-a37e9e74ff07b057370d1ed6c0b391a02be8a6d2.tar.gz
PeerTube-a37e9e74ff07b057370d1ed6c0b391a02be8a6d2.tar.zst
PeerTube-a37e9e74ff07b057370d1ed6c0b391a02be8a6d2.zip
Give moderators access to edit channels (#4608)
* give admins access to edit all channels closes #4598 * test(channels): +admin update another users channel * Fix tests * fix(server): delete another users channel Since the channel owner isn't necessary the auth user we need to check the right account whether it's the last video or not. * REMOVE_ANY_VIDEO_CHANNEL > MANAGE_ANY_VIDEO_CHANNEL Merge REMOVE_ANY_VIDEO_CHANNEL and MANY_VIDEO_CHANNELS to MANAGE_ANY_VIDEO_CHANNEL. * user-right: moderator can't manage admins channel * client: MyVideoChannelCreateComponent > VideoChannelCreateComponent * client: MyVideoChannelEdit > VideoChannelEdit * Revert "user-right: moderator can't manage admins channel" This reverts commit 2c627c154e2bfe6af2e0f45efb27faf4117572f3. * server: clean dupl validator functionality * fix ensureUserCanManageChannel usage It's not async anymore. * server: merge channel validator middleares ensureAuthUserOwnsChannelValidator & ensureUserCanManageChannel gets merged into one middleware. * client(VideoChannelEdit): redirect to prev route * fix(VideoChannels): handle anon users * client: new routes for create/update channel * Refactor channel validators Co-authored-by: Chocobozzz <me@florianbigard.com>
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/validators/shared/video-channels.ts7
-rw-r--r--server/middlewares/validators/users.ts17
-rw-r--r--server/middlewares/validators/videos/video-channels.ts60
3 files changed, 25 insertions, 59 deletions
diff --git a/server/middlewares/validators/shared/video-channels.ts b/server/middlewares/validators/shared/video-channels.ts
index 7c0c89267..bed9f5dbe 100644
--- a/server/middlewares/validators/shared/video-channels.ts
+++ b/server/middlewares/validators/shared/video-channels.ts
@@ -3,12 +3,6 @@ import { VideoChannelModel } from '@server/models/video/video-channel'
3import { MChannelBannerAccountDefault } from '@server/types/models' 3import { MChannelBannerAccountDefault } from '@server/types/models'
4import { HttpStatusCode } from '@shared/models' 4import { HttpStatusCode } from '@shared/models'
5 5
6async function doesLocalVideoChannelNameExist (name: string, res: express.Response) {
7 const videoChannel = await VideoChannelModel.loadLocalByNameAndPopulateAccount(name)
8
9 return processVideoChannelExist(videoChannel, res)
10}
11
12async function doesVideoChannelIdExist (id: number, res: express.Response) { 6async function doesVideoChannelIdExist (id: number, res: express.Response) {
13 const videoChannel = await VideoChannelModel.loadAndPopulateAccount(+id) 7 const videoChannel = await VideoChannelModel.loadAndPopulateAccount(+id)
14 8
@@ -24,7 +18,6 @@ async function doesVideoChannelNameWithHostExist (nameWithDomain: string, res: e
24// --------------------------------------------------------------------------- 18// ---------------------------------------------------------------------------
25 19
26export { 20export {
27 doesLocalVideoChannelNameExist,
28 doesVideoChannelIdExist, 21 doesVideoChannelIdExist,
29 doesVideoChannelNameWithHostExist 22 doesVideoChannelNameWithHostExist
30} 23}
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 33b31d54b..7a6b2ce57 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -3,7 +3,7 @@ import { body, param, query } from 'express-validator'
3import { omit } from 'lodash' 3import { omit } from 'lodash'
4import { Hooks } from '@server/lib/plugins/hooks' 4import { Hooks } from '@server/lib/plugins/hooks'
5import { MUserDefault } from '@server/types/models' 5import { MUserDefault } from '@server/types/models'
6import { HttpStatusCode, UserRegister, UserRole } from '@shared/models' 6import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models'
7import { isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc' 7import { isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc'
8import { isThemeNameValid } from '../../helpers/custom-validators/plugins' 8import { isThemeNameValid } from '../../helpers/custom-validators/plugins'
9import { 9import {
@@ -490,14 +490,17 @@ const ensureAuthUserOwnsAccountValidator = [
490 } 490 }
491] 491]
492 492
493const ensureAuthUserOwnsChannelValidator = [ 493const ensureCanManageChannel = [
494 (req: express.Request, res: express.Response, next: express.NextFunction) => { 494 (req: express.Request, res: express.Response, next: express.NextFunction) => {
495 const user = res.locals.oauth.token.User 495 const user = res.locals.oauth.token.user
496 const isUserOwner = res.locals.videoChannel.Account.userId === user.id
497
498 if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) {
499 const message = `User ${user.username} does not have right to manage channel ${req.params.nameWithHost}.`
496 500
497 if (res.locals.videoChannel.Account.userId !== user.id) {
498 return res.fail({ 501 return res.fail({
499 status: HttpStatusCode.FORBIDDEN_403, 502 status: HttpStatusCode.FORBIDDEN_403,
500 message: 'Only owner of this video channel can access this ressource' 503 message
501 }) 504 })
502 } 505 }
503 506
@@ -542,8 +545,8 @@ export {
542 usersVerifyEmailValidator, 545 usersVerifyEmailValidator,
543 userAutocompleteValidator, 546 userAutocompleteValidator,
544 ensureAuthUserOwnsAccountValidator, 547 ensureAuthUserOwnsAccountValidator,
545 ensureAuthUserOwnsChannelValidator, 548 ensureCanManageUser,
546 ensureCanManageUser 549 ensureCanManageChannel
547} 550}
548 551
549// --------------------------------------------------------------------------- 552// ---------------------------------------------------------------------------
diff --git a/server/middlewares/validators/videos/video-channels.ts b/server/middlewares/validators/videos/video-channels.ts
index edce48c7f..3bfdebbb1 100644
--- a/server/middlewares/validators/videos/video-channels.ts
+++ b/server/middlewares/validators/videos/video-channels.ts
@@ -1,7 +1,7 @@
1import express from 'express' 1import express from 'express'
2import { body, param, query } from 'express-validator' 2import { body, param, query } from 'express-validator'
3import { MChannelAccountDefault, MUser } from '@server/types/models' 3import { CONFIG } from '@server/initializers/config'
4import { UserRight } from '../../../../shared' 4import { MChannelAccountDefault } from '@server/types/models'
5import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes' 5import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes'
6import { isBooleanValid, toBooleanOrNull } from '../../../helpers/custom-validators/misc' 6import { isBooleanValid, toBooleanOrNull } from '../../../helpers/custom-validators/misc'
7import { 7import {
@@ -13,8 +13,7 @@ import {
13import { logger } from '../../../helpers/logger' 13import { logger } from '../../../helpers/logger'
14import { ActorModel } from '../../../models/actor/actor' 14import { ActorModel } from '../../../models/actor/actor'
15import { VideoChannelModel } from '../../../models/video/video-channel' 15import { VideoChannelModel } from '../../../models/video/video-channel'
16import { areValidationErrors, doesLocalVideoChannelNameExist, doesVideoChannelNameWithHostExist } from '../shared' 16import { areValidationErrors, doesVideoChannelNameWithHostExist } from '../shared'
17import { CONFIG } from '@server/initializers/config'
18 17
19const videoChannelsAddValidator = [ 18const videoChannelsAddValidator = [
20 body('name').custom(isVideoChannelUsernameValid).withMessage('Should have a valid channel name'), 19 body('name').custom(isVideoChannelUsernameValid).withMessage('Should have a valid channel name'),
@@ -71,16 +70,10 @@ const videoChannelsUpdateValidator = [
71] 70]
72 71
73const videoChannelsRemoveValidator = [ 72const videoChannelsRemoveValidator = [
74 param('nameWithHost').exists().withMessage('Should have an video channel name with host'),
75
76 async (req: express.Request, res: express.Response, next: express.NextFunction) => { 73 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
77 logger.debug('Checking videoChannelsRemove parameters', { parameters: req.params }) 74 logger.debug('Checking videoChannelsRemove parameters', { parameters: req.params })
78 75
79 if (areValidationErrors(req, res)) return 76 if (!await checkVideoChannelIsNotTheLastOne(res.locals.videoChannel, res)) return
80 if (!await doesVideoChannelNameWithHostExist(req.params.nameWithHost, res)) return
81
82 if (!checkUserCanDeleteVideoChannel(res.locals.oauth.token.User, res.locals.videoChannel, res)) return
83 if (!await checkVideoChannelIsNotTheLastOne(res)) return
84 77
85 return next() 78 return next()
86 } 79 }
@@ -100,14 +93,14 @@ const videoChannelsNameWithHostValidator = [
100 } 93 }
101] 94]
102 95
103const localVideoChannelValidator = [ 96const ensureIsLocalChannel = [
104 param('name').custom(isVideoChannelDisplayNameValid).withMessage('Should have a valid video channel name'), 97 (req: express.Request, res: express.Response, next: express.NextFunction) => {
105 98 if (res.locals.videoChannel.Actor.isOwned() === false) {
106 async (req: express.Request, res: express.Response, next: express.NextFunction) => { 99 return res.fail({
107 logger.debug('Checking localVideoChannelValidator parameters', { parameters: req.params }) 100 status: HttpStatusCode.FORBIDDEN_403,
108 101 message: 'This channel is not owned.'
109 if (areValidationErrors(req, res)) return 102 })
110 if (!await doesLocalVideoChannelNameExist(req.params.name, res)) return 103 }
111 104
112 return next() 105 return next()
113 } 106 }
@@ -144,38 +137,15 @@ export {
144 videoChannelsUpdateValidator, 137 videoChannelsUpdateValidator,
145 videoChannelsRemoveValidator, 138 videoChannelsRemoveValidator,
146 videoChannelsNameWithHostValidator, 139 videoChannelsNameWithHostValidator,
140 ensureIsLocalChannel,
147 videoChannelsListValidator, 141 videoChannelsListValidator,
148 localVideoChannelValidator,
149 videoChannelStatsValidator 142 videoChannelStatsValidator
150} 143}
151 144
152// --------------------------------------------------------------------------- 145// ---------------------------------------------------------------------------
153 146
154function checkUserCanDeleteVideoChannel (user: MUser, videoChannel: MChannelAccountDefault, res: express.Response) { 147async function checkVideoChannelIsNotTheLastOne (videoChannel: MChannelAccountDefault, res: express.Response) {
155 if (videoChannel.Actor.isOwned() === false) { 148 const count = await VideoChannelModel.countByAccount(videoChannel.Account.id)
156 res.fail({
157 status: HttpStatusCode.FORBIDDEN_403,
158 message: 'Cannot remove video channel of another server.'
159 })
160 return false
161 }
162
163 // Check if the user can delete the video channel
164 // The user can delete it if s/he is an admin
165 // Or if s/he is the video channel's account
166 if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_CHANNEL) === false && videoChannel.Account.userId !== user.id) {
167 res.fail({
168 status: HttpStatusCode.FORBIDDEN_403,
169 message: 'Cannot remove video channel of another user'
170 })
171 return false
172 }
173
174 return true
175}
176
177async function checkVideoChannelIsNotTheLastOne (res: express.Response) {
178 const count = await VideoChannelModel.countByAccount(res.locals.oauth.token.User.Account.id)
179 149
180 if (count <= 1) { 150 if (count <= 1) {
181 res.fail({ 151 res.fail({