diff options
author | Chocobozzz <me@florianbigard.com> | 2022-09-07 17:18:29 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-09-08 08:41:48 +0200 |
commit | d4d9bbc6f24522f5d63b0ab105a02f80ca98d702 (patch) | |
tree | 9e7e5e5170cea36a489f6c988df892a34c886937 /server/middlewares | |
parent | 8b69f9f02879ee3cf72bc9d4aa96cc71f18e6eea (diff) | |
download | PeerTube-d4d9bbc6f24522f5d63b0ab105a02f80ca98d702.tar.gz PeerTube-d4d9bbc6f24522f5d63b0ab105a02f80ca98d702.tar.zst PeerTube-d4d9bbc6f24522f5d63b0ab105a02f80ca98d702.zip |
Fix channel sync right check
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/validators/users.ts | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index 282034f6d..2de5265fb 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts | |||
@@ -507,13 +507,14 @@ const ensureAuthUserOwnsAccountValidator = [ | |||
507 | } | 507 | } |
508 | ] | 508 | ] |
509 | 509 | ||
510 | const ensureCanManageChannel = [ | 510 | const ensureCanManageChannelOrAccount = [ |
511 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | 511 | (req: express.Request, res: express.Response, next: express.NextFunction) => { |
512 | const user = res.locals.oauth.token.user | 512 | const user = res.locals.oauth.token.user |
513 | const isUserOwner = res.locals.videoChannel.Account.userId === user.id | 513 | const account = res.locals.videoChannel?.Account ?? res.locals.account |
514 | const isUserOwner = account.userId === user.id | ||
514 | 515 | ||
515 | if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) { | 516 | if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) { |
516 | const message = `User ${user.username} does not have right to manage channel ${req.params.nameWithHost}.` | 517 | const message = `User ${user.username} does not have right this channel or account.` |
517 | 518 | ||
518 | return res.fail({ | 519 | return res.fail({ |
519 | status: HttpStatusCode.FORBIDDEN_403, | 520 | status: HttpStatusCode.FORBIDDEN_403, |
@@ -525,7 +526,7 @@ const ensureCanManageChannel = [ | |||
525 | } | 526 | } |
526 | ] | 527 | ] |
527 | 528 | ||
528 | const ensureCanManageUser = [ | 529 | const ensureCanModerateUser = [ |
529 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | 530 | (req: express.Request, res: express.Response, next: express.NextFunction) => { |
530 | const authUser = res.locals.oauth.token.User | 531 | const authUser = res.locals.oauth.token.User |
531 | const onUser = res.locals.user | 532 | const onUser = res.locals.user |
@@ -535,7 +536,7 @@ const ensureCanManageUser = [ | |||
535 | 536 | ||
536 | return res.fail({ | 537 | return res.fail({ |
537 | status: HttpStatusCode.FORBIDDEN_403, | 538 | status: HttpStatusCode.FORBIDDEN_403, |
538 | message: 'A moderator can only manager users.' | 539 | message: 'A moderator can only manage users.' |
539 | }) | 540 | }) |
540 | } | 541 | } |
541 | ] | 542 | ] |
@@ -562,8 +563,8 @@ export { | |||
562 | usersVerifyEmailValidator, | 563 | usersVerifyEmailValidator, |
563 | userAutocompleteValidator, | 564 | userAutocompleteValidator, |
564 | ensureAuthUserOwnsAccountValidator, | 565 | ensureAuthUserOwnsAccountValidator, |
565 | ensureCanManageUser, | 566 | ensureCanModerateUser, |
566 | ensureCanManageChannel | 567 | ensureCanManageChannelOrAccount |
567 | } | 568 | } |
568 | 569 | ||
569 | // --------------------------------------------------------------------------- | 570 | // --------------------------------------------------------------------------- |