Merge branch 'release/1.4.0' into develop

3 files changed, 11 insertions, 6 deletions

diff --git a/server/lib/schedulers/videos-redundancy-scheduler.ts b/server/lib/schedulers/videos-redundancy-scheduler.ts
index d9018e606..21fe51156 100644
--- a/server/lib/schedulers/videos-redundancy-scheduler.ts
+++ b/server/lib/schedulers/videos-redundancy-scheduler.ts
@@ -200,7 +200,7 @@ export class VideosRedundancyScheduler extends AbstractScheduler {
     const tmpPath = await downloadWebTorrentVideo({ magnetUri }, VIDEO_IMPORT_TIMEOUT)
 
     const destPath = join(CONFIG.STORAGE.REDUNDANCY_DIR, video.getVideoFilename(file))
-    await move(tmpPath, destPath)
+    await move(tmpPath, destPath, { overwrite: true })
 
     const createdModel: MVideoRedundancyFileVideo = await VideoRedundancyModel.create({
       expiresOn: this.buildNewExpiration(redundancy.minLifetime),
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts
index d484b3021..d11d70790 100644
--- a/server/middlewares/csp.ts
+++ b/server/middlewares/csp.ts
@@ -7,8 +7,8 @@ const baseDirectives = Object.assign({},
     connectSrc: ['*', 'data:'],
     mediaSrc: ["'self'", 'https:', 'blob:'],
     fontSrc: ["'self'", 'data:'],
-    imgSrc: ["'self'", 'data:'],
-    scriptSrc: ["'self' 'unsafe-inline' 'unsafe-eval'"],
+    imgSrc: ["'self'", 'data:', 'blob:'],
+    scriptSrc: ["'self' 'unsafe-inline' 'unsafe-eval'", 'blob:'],
     styleSrc: ["'self' 'unsafe-inline'"],
     objectSrc: ["'none'"], // only define to allow plugins, else let defaultSrc 'none' block it
     formAction: ["'self'"],
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 40dd0f0e9..d51bc27e6 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -39,7 +39,9 @@ const usersAddValidator = [
   body('email').isEmail().withMessage('Should have a valid email'),
   body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
   body('videoQuotaDaily').custom(isUserVideoQuotaDailyValid).withMessage('Should have a valid daily user quota'),
-  body('role').custom(isUserRoleValid).withMessage('Should have a valid role'),
+  body('role')
+    .customSanitizer(toIntOrNull)
+    .custom(isUserRoleValid).withMessage('Should have a valid role'),
   body('adminFlags').optional().custom(isUserAdminFlagsValid).withMessage('Should have a valid admin flags'),
 
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
@@ -51,7 +53,7 @@ const usersAddValidator = [
     const authUser = res.locals.oauth.token.User
     if (authUser.role !== UserRole.ADMINISTRATOR && req.body.role !== UserRole.USER) {
       return res.status(403)
-        .json({ error: 'You can only create users (and not administrators or moderators' })
+        .json({ error: 'You can only create users (and not administrators or moderators)' })
     }
 
     return next()
@@ -161,7 +163,10 @@ const usersUpdateValidator = [
   body('emailVerified').optional().isBoolean().withMessage('Should have a valid email verified attribute'),
   body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
   body('videoQuotaDaily').optional().custom(isUserVideoQuotaDailyValid).withMessage('Should have a valid daily user quota'),
-  body('role').optional().custom(isUserRoleValid).withMessage('Should have a valid role'),
+  body('role')
+    .optional()
+    .customSanitizer(toIntOrNull)
+    .custom(isUserRoleValid).withMessage('Should have a valid role'),
   body('adminFlags').optional().custom(isUserAdminFlagsValid).withMessage('Should have a valid admin flags'),
 
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {