aboutsummaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
authorGreen-Star <Green-Star@users.noreply.github.com>2017-04-26 21:22:10 +0200
committerBigard Florian <florian.bigard@gmail.com>2017-04-26 21:22:10 +0200
commit198b205c10dba362b9ae1ef6895b29d7e0dd685f (patch)
tree3be413139784f7445e775cbecccc6091a738360b /server
parent00871a261787ae1ed8446861ba2bd5eea9faca6d (diff)
downloadPeerTube-198b205c10dba362b9ae1ef6895b29d7e0dd685f.tar.gz
PeerTube-198b205c10dba362b9ae1ef6895b29d7e0dd685f.tar.zst
PeerTube-198b205c10dba362b9ae1ef6895b29d7e0dd685f.zip
Add ability for an administrator to remove any video (#61)
* Add ability for an admin to remove every video on the pod. * Server: add BlacklistedVideos relation. * Server: Insert in BlacklistedVideos relation upon deletion of a video. * Server: Modify BlacklistedVideos schema to add Pod id information. * Server: Moving insertion of a blacklisted video from the `afterDestroy` hook into the process of deletion of a video. To avoid inserting a video when it is removed on its origin pod. When a video is removed on its origin pod, the `afterDestroy` hook is fire, but no request is made on the delete('/:videoId') interface. Hence, we insert into `BlacklistedVideos` only on request on delete('/:videoId') (if requirements for insertion are met). * Server: Add removeVideoFromBlacklist hook on deletion of a video. We are going to proceed in another way :). We will add a new route : /:videoId/blacklist to blacklist a video. We do not blacklist a video upon its deletion now (to distinguish a video blacklist from a regular video delete) When we blacklist a video, the video remains in the DB, so we don't have any concern about its update. It just doesn't appear in the video list. When we remove a video, we then have to remove it from the blacklist too. We could also remove a video from the blacklist to 'unremove' it and make it appear again in the video list (will be another feature). * Server: Add handler for new route post(/:videoId/blacklist) * Client: Add isBlacklistable method * Client: Update isRemovableBy method. * Client: Move 'Delete video' feature from the video-list to the video-watch module. * Server: Exclude blacklisted videos from the video list * Server: Use findAll() in BlacklistedVideos.list() method * Server: Fix addVideoToBlacklist function. * Client: Add blacklist feature. * Server: Use JavaScript Standard Style. * Server: In checkUserCanDeleteVideo, move the callback call inside the db callback function * Server: Modify BlacklistVideo relation * Server: Modifiy Videos methods. * Server: Add checkVideoIsBlacklistable method * Server: Rewrite addVideoToBlacklist method * Server: Fix checkVideoIsBlacklistable method * Server: Add return to addVideoToBlacklist method
Diffstat (limited to 'server')
-rw-r--r--server/controllers/api/videos.js25
-rw-r--r--server/middlewares/validators/videos.js63
-rw-r--r--server/models/user.js8
-rw-r--r--server/models/video-blacklist.js89
-rw-r--r--server/models/video.js48
5 files changed, 212 insertions, 21 deletions
diff --git a/server/controllers/api/videos.js b/server/controllers/api/videos.js
index 5e9ff482f..1f7d30eef 100644
--- a/server/controllers/api/videos.js
+++ b/server/controllers/api/videos.js
@@ -93,11 +93,13 @@ router.get('/:id',
93 validatorsVideos.videosGet, 93 validatorsVideos.videosGet,
94 getVideo 94 getVideo
95) 95)
96
96router.delete('/:id', 97router.delete('/:id',
97 oAuth.authenticate, 98 oAuth.authenticate,
98 validatorsVideos.videosRemove, 99 validatorsVideos.videosRemove,
99 removeVideo 100 removeVideo
100) 101)
102
101router.get('/search/:value', 103router.get('/search/:value',
102 validatorsVideos.videosSearch, 104 validatorsVideos.videosSearch,
103 validatorsPagination.pagination, 105 validatorsPagination.pagination,
@@ -108,6 +110,13 @@ router.get('/search/:value',
108 searchVideos 110 searchVideos
109) 111)
110 112
113router.post('/:id/blacklist',
114 oAuth.authenticate,
115 admin.ensureIsAdmin,
116 validatorsVideos.videosBlacklist,
117 addVideoToBlacklist
118)
119
111// --------------------------------------------------------------------------- 120// ---------------------------------------------------------------------------
112 121
113module.exports = router 122module.exports = router
@@ -622,3 +631,19 @@ function reportVideoAbuse (req, res, finalCallback) {
622 return finalCallback(null) 631 return finalCallback(null)
623 }) 632 })
624} 633}
634
635function addVideoToBlacklist (req, res, next) {
636 const videoInstance = res.locals.video
637
638 db.BlacklistedVideo.create({
639 videoId: videoInstance.id
640 })
641 .asCallback(function (err) {
642 if (err) {
643 logger.error('Errors when blacklisting video ', { error: err })
644 return next(err)
645 }
646
647 return res.type('json').status(204).end()
648 })
649}
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index c07825e50..86a7e39ae 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -15,7 +15,9 @@ const validatorsVideos = {
15 15
16 videoAbuseReport, 16 videoAbuseReport,
17 17
18 videoRate 18 videoRate,
19
20 videosBlacklist
19} 21}
20 22
21function videosAdd (req, res, next) { 23function videosAdd (req, res, next) {
@@ -95,15 +97,10 @@ function videosRemove (req, res, next) {
95 checkVideoExists(req.params.id, res, function () { 97 checkVideoExists(req.params.id, res, function () {
96 // We need to make additional checks 98 // We need to make additional checks
97 99
98 if (res.locals.video.isOwned() === false) { 100 // Check if the user who did the request is able to delete the video
99 return res.status(403).send('Cannot remove video of another pod') 101 checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, function () {
100 } 102 next()
101 103 })
102 if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
103 return res.status(403).send('Cannot remove video of another user')
104 }
105
106 next()
107 }) 104 })
108 }) 105 })
109} 106}
@@ -159,3 +156,49 @@ function checkVideoExists (id, res, callback) {
159 callback() 156 callback()
160 }) 157 })
161} 158}
159
160function checkUserCanDeleteVideo (userId, res, callback) {
161 // Retrieve the user who did the request
162 db.User.loadById(userId, function (err, user) {
163 if (err) {
164 logger.error('Error in video request validator.', { error: err })
165 return res.sendStatus(500)
166 }
167
168 // Check if the user can delete the video
169 // The user can delete it if s/he an admin
170 // Or if s/he is the video's author
171 if (user.isAdmin() === false) {
172 if (res.locals.video.isOwned() === false) {
173 return res.status(403).send('Cannot remove video of another pod')
174 }
175
176 if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
177 return res.status(403).send('Cannot remove video of another user')
178 }
179 }
180
181 // If we reach this comment, we can delete the video
182 callback()
183 })
184}
185
186function checkVideoIsBlacklistable (req, res, callback) {
187 if (res.locals.video.isOwned() === true) {
188 return res.status(403).send('Cannot blacklist a local video')
189 }
190
191 callback()
192}
193
194function videosBlacklist (req, res, next) {
195 req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
196
197 logger.debug('Checking videosBlacklist parameters', { parameters: req.params })
198
199 checkErrors(req, res, function () {
200 checkVideoExists(req.params.id, res, function() {
201 checkVideoIsBlacklistable(req, res, next)
202 })
203 })
204}
diff --git a/server/models/user.js b/server/models/user.js
index e64bab8ab..8f9c2bf65 100644
--- a/server/models/user.js
+++ b/server/models/user.js
@@ -79,7 +79,8 @@ module.exports = function (sequelize, DataTypes) {
79 }, 79 },
80 instanceMethods: { 80 instanceMethods: {
81 isPasswordMatch, 81 isPasswordMatch,
82 toFormatedJSON 82 toFormatedJSON,
83 isAdmin
83 }, 84 },
84 hooks: { 85 hooks: {
85 beforeCreate: beforeCreateOrUpdate, 86 beforeCreate: beforeCreateOrUpdate,
@@ -117,6 +118,11 @@ function toFormatedJSON () {
117 createdAt: this.createdAt 118 createdAt: this.createdAt
118 } 119 }
119} 120}
121
122function isAdmin () {
123 return this.role === constants.USER_ROLES.ADMIN
124}
125
120// ------------------------------ STATICS ------------------------------ 126// ------------------------------ STATICS ------------------------------
121 127
122function associate (models) { 128function associate (models) {
diff --git a/server/models/video-blacklist.js b/server/models/video-blacklist.js
new file mode 100644
index 000000000..02ea15760
--- /dev/null
+++ b/server/models/video-blacklist.js
@@ -0,0 +1,89 @@
1'use strict'
2
3const modelUtils = require('./utils')
4
5// ---------------------------------------------------------------------------
6
7module.exports = function (sequelize, DataTypes) {
8 const BlacklistedVideo = sequelize.define('BlacklistedVideo',
9 {},
10 {
11 indexes: [
12 {
13 fields: [ 'videoId' ],
14 unique: true
15 }
16 ],
17 classMethods: {
18 associate,
19
20 countTotal,
21 list,
22 listForApi,
23 loadById,
24 loadByVideoId
25 },
26 instanceMethods: {
27 toFormatedJSON
28 },
29 hooks: {}
30 }
31 )
32
33 return BlacklistedVideo
34}
35
36// ------------------------------ METHODS ------------------------------
37
38function toFormatedJSON () {
39 return {
40 id: this.id,
41 videoId: this.videoId,
42 createdAt: this.createdAt
43 }
44}
45
46// ------------------------------ STATICS ------------------------------
47
48function associate (models) {
49 this.belongsTo(models.Video, {
50 foreignKey: 'videoId',
51 onDelete: 'cascade'
52 })
53}
54
55function countTotal (callback) {
56 return this.count().asCallback(callback)
57}
58
59function list (callback) {
60 return this.findAll().asCallback(callback)
61}
62
63function listForApi (start, count, sort, callback) {
64 const query = {
65 offset: start,
66 limit: count,
67 order: [ modelUtils.getSort(sort) ]
68 }
69
70 return this.findAndCountAll(query).asCallback(function (err, result) {
71 if (err) return callback(err)
72
73 return callback(null, result.rows, result.count)
74 })
75}
76
77function loadById (id, callback) {
78 return this.findById(id).asCallback(callback)
79}
80
81function loadByVideoId (id, callback) {
82 const query = {
83 where: {
84 videoId: id
85 }
86 }
87
88 return this.find(query).asCallback(callback)
89}
diff --git a/server/models/video.js b/server/models/video.js
index 39eb28ed9..1addfa682 100644
--- a/server/models/video.js
+++ b/server/models/video.js
@@ -16,6 +16,7 @@ const logger = require('../helpers/logger')
16const friends = require('../lib/friends') 16const friends = require('../lib/friends')
17const modelUtils = require('./utils') 17const modelUtils = require('./utils')
18const customVideosValidators = require('../helpers/custom-validators').videos 18const customVideosValidators = require('../helpers/custom-validators').videos
19const db = require('../initializers/database')
19 20
20// --------------------------------------------------------------------------- 21// ---------------------------------------------------------------------------
21 22
@@ -201,7 +202,8 @@ module.exports = function (sequelize, DataTypes) {
201 isOwned, 202 isOwned,
202 toFormatedJSON, 203 toFormatedJSON,
203 toAddRemoteJSON, 204 toAddRemoteJSON,
204 toUpdateRemoteJSON 205 toUpdateRemoteJSON,
206 removeFromBlacklist
205 }, 207 },
206 hooks: { 208 hooks: {
207 beforeValidate, 209 beforeValidate,
@@ -528,6 +530,7 @@ function list (callback) {
528} 530}
529 531
530function listForApi (start, count, sort, callback) { 532function listForApi (start, count, sort, callback) {
533 // Exclude Blakclisted videos from the list
531 const query = { 534 const query = {
532 offset: start, 535 offset: start,
533 limit: count, 536 limit: count,
@@ -540,7 +543,12 @@ function listForApi (start, count, sort, callback) {
540 }, 543 },
541 544
542 this.sequelize.models.Tag 545 this.sequelize.models.Tag
543 ] 546 ],
547 where: {
548 id: { $notIn: this.sequelize.literal(
549 '(SELECT "BlacklistedVideos"."videoId" FROM "BlacklistedVideos")'
550 )}
551 }
544 } 552 }
545 553
546 return this.findAndCountAll(query).asCallback(function (err, result) { 554 return this.findAndCountAll(query).asCallback(function (err, result) {
@@ -648,7 +656,11 @@ function searchAndPopulateAuthorAndPodAndTags (value, field, start, count, sort,
648 } 656 }
649 657
650 const query = { 658 const query = {
651 where: {}, 659 where: {
660 id: { $notIn: this.sequelize.literal(
661 '(SELECT "BlacklistedVideos"."videoId" FROM "BlacklistedVideos")'
662 )}
663 },
652 offset: start, 664 offset: start,
653 limit: count, 665 limit: count,
654 distinct: true, // For the count, a video can have many tags 666 distinct: true, // For the count, a video can have many tags
@@ -661,13 +673,9 @@ function searchAndPopulateAuthorAndPodAndTags (value, field, start, count, sort,
661 query.where.infoHash = infoHash 673 query.where.infoHash = infoHash
662 } else if (field === 'tags') { 674 } else if (field === 'tags') {
663 const escapedValue = this.sequelize.escape('%' + value + '%') 675 const escapedValue = this.sequelize.escape('%' + value + '%')
664 query.where = { 676 query.where.id.$in = this.sequelize.literal(
665 id: { 677 '(SELECT "VideoTags"."videoId" FROM "Tags" INNER JOIN "VideoTags" ON "Tags"."id" = "VideoTags"."tagId" WHERE name LIKE ' + escapedValue + ')'
666 $in: this.sequelize.literal( 678 )
667 '(SELECT "VideoTags"."videoId" FROM "Tags" INNER JOIN "VideoTags" ON "Tags"."id" = "VideoTags"."tagId" WHERE name LIKE ' + escapedValue + ')'
668 )
669 }
670 }
671 } else if (field === 'host') { 679 } else if (field === 'host') {
672 // FIXME: Include our pod? (not stored in the database) 680 // FIXME: Include our pod? (not stored in the database)
673 podInclude.where = { 681 podInclude.where = {
@@ -755,3 +763,23 @@ function generateImage (video, videoPath, folder, imageName, size, callback) {
755 }) 763 })
756 .thumbnail(options) 764 .thumbnail(options)
757} 765}
766
767function removeFromBlacklist (video, callback) {
768 // Find the blacklisted video
769 db.BlacklistedVideo.loadByVideoId(video.id, function (err, video) {
770 // If an error occured, stop here
771 if (err) {
772 logger.error('Error when fetching video from blacklist.', { error: err })
773
774 return callback(err)
775 }
776
777 // If we found the video, remove it from the blacklist
778 if (video) {
779 video.destroy().asCallback(callback)
780 } else {
781 // If haven't found it, simply ignore it and do nothing
782 return callback()
783 }
784 })
785}