diff options
author | Chocobozzz <florian.bigard@gmail.com> | 2017-10-27 16:55:03 +0200 |
---|---|---|
committer | Chocobozzz <florian.bigard@gmail.com> | 2017-10-27 16:55:03 +0200 |
commit | 954605a804da399317ca62afa2fb9244afa11ebf (patch) | |
tree | de6ee69280bfb928bc01c29430e13d5b820e921a /server | |
parent | e02573ad67626210ed279bad321ee139094921a1 (diff) | |
download | PeerTube-954605a804da399317ca62afa2fb9244afa11ebf.tar.gz PeerTube-954605a804da399317ca62afa2fb9244afa11ebf.tar.zst PeerTube-954605a804da399317ca62afa2fb9244afa11ebf.zip |
Support roles with rights and add moderator role
Diffstat (limited to 'server')
-rw-r--r-- | server/controllers/api/pods.ts | 9 | ||||
-rw-r--r-- | server/controllers/api/request-schedulers.ts | 6 | ||||
-rw-r--r-- | server/controllers/api/users.ts | 20 | ||||
-rw-r--r-- | server/controllers/api/videos/abuse.ts | 6 | ||||
-rw-r--r-- | server/controllers/api/videos/blacklist.ts | 10 | ||||
-rw-r--r-- | server/helpers/custom-validators/users.ts | 11 | ||||
-rw-r--r-- | server/initializers/constants.ts | 13 | ||||
-rw-r--r-- | server/initializers/installer.ts | 5 | ||||
-rw-r--r-- | server/initializers/migrations/0085-user-role.ts | 39 | ||||
-rw-r--r-- | server/middlewares/admin.ts | 20 | ||||
-rw-r--r-- | server/middlewares/index.ts | 2 | ||||
-rw-r--r-- | server/middlewares/user-right.ts | 24 | ||||
-rw-r--r-- | server/middlewares/validators/users.ts | 5 | ||||
-rw-r--r-- | server/middlewares/validators/video-channels.ts | 6 | ||||
-rw-r--r-- | server/middlewares/validators/videos.ts | 3 | ||||
-rw-r--r-- | server/models/user/user-interface.ts | 9 | ||||
-rw-r--r-- | server/models/user/user.ts | 29 |
17 files changed, 133 insertions, 84 deletions
diff --git a/server/controllers/api/pods.ts b/server/controllers/api/pods.ts index bf1b744e5..b44cd6b83 100644 --- a/server/controllers/api/pods.ts +++ b/server/controllers/api/pods.ts | |||
@@ -9,7 +9,7 @@ import { | |||
9 | } from '../../lib' | 9 | } from '../../lib' |
10 | import { | 10 | import { |
11 | authenticate, | 11 | authenticate, |
12 | ensureIsAdmin, | 12 | ensureUserHasRight, |
13 | makeFriendsValidator, | 13 | makeFriendsValidator, |
14 | setBodyHostsPort, | 14 | setBodyHostsPort, |
15 | podRemoveValidator, | 15 | podRemoveValidator, |
@@ -20,6 +20,7 @@ import { | |||
20 | asyncMiddleware | 20 | asyncMiddleware |
21 | } from '../../middlewares' | 21 | } from '../../middlewares' |
22 | import { PodInstance } from '../../models' | 22 | import { PodInstance } from '../../models' |
23 | import { UserRight } from '../../../shared' | ||
23 | 24 | ||
24 | const podsRouter = express.Router() | 25 | const podsRouter = express.Router() |
25 | 26 | ||
@@ -32,19 +33,19 @@ podsRouter.get('/', | |||
32 | ) | 33 | ) |
33 | podsRouter.post('/make-friends', | 34 | podsRouter.post('/make-friends', |
34 | authenticate, | 35 | authenticate, |
35 | ensureIsAdmin, | 36 | ensureUserHasRight(UserRight.MANAGE_PODS), |
36 | makeFriendsValidator, | 37 | makeFriendsValidator, |
37 | setBodyHostsPort, | 38 | setBodyHostsPort, |
38 | asyncMiddleware(makeFriendsController) | 39 | asyncMiddleware(makeFriendsController) |
39 | ) | 40 | ) |
40 | podsRouter.get('/quit-friends', | 41 | podsRouter.get('/quit-friends', |
41 | authenticate, | 42 | authenticate, |
42 | ensureIsAdmin, | 43 | ensureUserHasRight(UserRight.MANAGE_PODS), |
43 | asyncMiddleware(quitFriendsController) | 44 | asyncMiddleware(quitFriendsController) |
44 | ) | 45 | ) |
45 | podsRouter.delete('/:id', | 46 | podsRouter.delete('/:id', |
46 | authenticate, | 47 | authenticate, |
47 | ensureIsAdmin, | 48 | ensureUserHasRight(UserRight.MANAGE_PODS), |
48 | podRemoveValidator, | 49 | podRemoveValidator, |
49 | asyncMiddleware(removeFriendController) | 50 | asyncMiddleware(removeFriendController) |
50 | ) | 51 | ) |
diff --git a/server/controllers/api/request-schedulers.ts b/server/controllers/api/request-schedulers.ts index 28f46f3ee..4c8fbe18b 100644 --- a/server/controllers/api/request-schedulers.ts +++ b/server/controllers/api/request-schedulers.ts | |||
@@ -7,14 +7,14 @@ import { | |||
7 | getRequestVideoQaduScheduler, | 7 | getRequestVideoQaduScheduler, |
8 | getRequestVideoEventScheduler | 8 | getRequestVideoEventScheduler |
9 | } from '../../lib' | 9 | } from '../../lib' |
10 | import { authenticate, ensureIsAdmin, asyncMiddleware } from '../../middlewares' | 10 | import { authenticate, ensureUserHasRight, asyncMiddleware } from '../../middlewares' |
11 | import { RequestSchedulerStatsAttributes } from '../../../shared' | 11 | import { RequestSchedulerStatsAttributes, UserRight } from '../../../shared' |
12 | 12 | ||
13 | const requestSchedulerRouter = express.Router() | 13 | const requestSchedulerRouter = express.Router() |
14 | 14 | ||
15 | requestSchedulerRouter.get('/stats', | 15 | requestSchedulerRouter.get('/stats', |
16 | authenticate, | 16 | authenticate, |
17 | ensureIsAdmin, | 17 | ensureUserHasRight(UserRight.MANAGE_REQUEST_SCHEDULERS), |
18 | asyncMiddleware(getRequestSchedulersStats) | 18 | asyncMiddleware(getRequestSchedulersStats) |
19 | ) | 19 | ) |
20 | 20 | ||
diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts index 18a094f03..fdc9b0c87 100644 --- a/server/controllers/api/users.ts +++ b/server/controllers/api/users.ts | |||
@@ -1,11 +1,10 @@ | |||
1 | import * as express from 'express' | 1 | import * as express from 'express' |
2 | 2 | ||
3 | import { database as db } from '../../initializers/database' | 3 | import { database as db, CONFIG } from '../../initializers' |
4 | import { USER_ROLES, CONFIG } from '../../initializers' | ||
5 | import { logger, getFormattedObjects, retryTransactionWrapper } from '../../helpers' | 4 | import { logger, getFormattedObjects, retryTransactionWrapper } from '../../helpers' |
6 | import { | 5 | import { |
7 | authenticate, | 6 | authenticate, |
8 | ensureIsAdmin, | 7 | ensureUserHasRight, |
9 | ensureUserRegistrationAllowed, | 8 | ensureUserRegistrationAllowed, |
10 | usersAddValidator, | 9 | usersAddValidator, |
11 | usersRegisterValidator, | 10 | usersRegisterValidator, |
@@ -25,7 +24,9 @@ import { | |||
25 | UserVideoRate as FormattedUserVideoRate, | 24 | UserVideoRate as FormattedUserVideoRate, |
26 | UserCreate, | 25 | UserCreate, |
27 | UserUpdate, | 26 | UserUpdate, |
28 | UserUpdateMe | 27 | UserUpdateMe, |
28 | UserRole, | ||
29 | UserRight | ||
29 | } from '../../../shared' | 30 | } from '../../../shared' |
30 | import { createUserAuthorAndChannel } from '../../lib' | 31 | import { createUserAuthorAndChannel } from '../../lib' |
31 | import { UserInstance } from '../../models' | 32 | import { UserInstance } from '../../models' |
@@ -58,7 +59,7 @@ usersRouter.get('/:id', | |||
58 | 59 | ||
59 | usersRouter.post('/', | 60 | usersRouter.post('/', |
60 | authenticate, | 61 | authenticate, |
61 | ensureIsAdmin, | 62 | ensureUserHasRight(UserRight.MANAGE_USERS), |
62 | usersAddValidator, | 63 | usersAddValidator, |
63 | createUserRetryWrapper | 64 | createUserRetryWrapper |
64 | ) | 65 | ) |
@@ -77,14 +78,14 @@ usersRouter.put('/me', | |||
77 | 78 | ||
78 | usersRouter.put('/:id', | 79 | usersRouter.put('/:id', |
79 | authenticate, | 80 | authenticate, |
80 | ensureIsAdmin, | 81 | ensureUserHasRight(UserRight.MANAGE_USERS), |
81 | usersUpdateValidator, | 82 | usersUpdateValidator, |
82 | asyncMiddleware(updateUser) | 83 | asyncMiddleware(updateUser) |
83 | ) | 84 | ) |
84 | 85 | ||
85 | usersRouter.delete('/:id', | 86 | usersRouter.delete('/:id', |
86 | authenticate, | 87 | authenticate, |
87 | ensureIsAdmin, | 88 | ensureUserHasRight(UserRight.MANAGE_USERS), |
88 | usersRemoveValidator, | 89 | usersRemoveValidator, |
89 | asyncMiddleware(removeUser) | 90 | asyncMiddleware(removeUser) |
90 | ) | 91 | ) |
@@ -119,7 +120,7 @@ async function createUser (req: express.Request, res: express.Response, next: ex | |||
119 | password: body.password, | 120 | password: body.password, |
120 | email: body.email, | 121 | email: body.email, |
121 | displayNSFW: false, | 122 | displayNSFW: false, |
122 | role: USER_ROLES.USER, | 123 | role: body.role, |
123 | videoQuota: body.videoQuota | 124 | videoQuota: body.videoQuota |
124 | }) | 125 | }) |
125 | 126 | ||
@@ -136,7 +137,7 @@ async function registerUser (req: express.Request, res: express.Response, next: | |||
136 | password: body.password, | 137 | password: body.password, |
137 | email: body.email, | 138 | email: body.email, |
138 | displayNSFW: false, | 139 | displayNSFW: false, |
139 | role: USER_ROLES.USER, | 140 | role: UserRole.USER, |
140 | videoQuota: CONFIG.USER.VIDEO_QUOTA | 141 | videoQuota: CONFIG.USER.VIDEO_QUOTA |
141 | }) | 142 | }) |
142 | 143 | ||
@@ -203,6 +204,7 @@ async function updateUser (req: express.Request, res: express.Response, next: ex | |||
203 | 204 | ||
204 | if (body.email !== undefined) user.email = body.email | 205 | if (body.email !== undefined) user.email = body.email |
205 | if (body.videoQuota !== undefined) user.videoQuota = body.videoQuota | 206 | if (body.videoQuota !== undefined) user.videoQuota = body.videoQuota |
207 | if (body.role !== undefined) user.role = body.role | ||
206 | 208 | ||
207 | await user.save() | 209 | await user.save() |
208 | 210 | ||
diff --git a/server/controllers/api/videos/abuse.ts b/server/controllers/api/videos/abuse.ts index 4c7abf395..04349042b 100644 --- a/server/controllers/api/videos/abuse.ts +++ b/server/controllers/api/videos/abuse.ts | |||
@@ -9,7 +9,7 @@ import { | |||
9 | } from '../../../helpers' | 9 | } from '../../../helpers' |
10 | import { | 10 | import { |
11 | authenticate, | 11 | authenticate, |
12 | ensureIsAdmin, | 12 | ensureUserHasRight, |
13 | paginationValidator, | 13 | paginationValidator, |
14 | videoAbuseReportValidator, | 14 | videoAbuseReportValidator, |
15 | videoAbusesSortValidator, | 15 | videoAbusesSortValidator, |
@@ -18,13 +18,13 @@ import { | |||
18 | asyncMiddleware | 18 | asyncMiddleware |
19 | } from '../../../middlewares' | 19 | } from '../../../middlewares' |
20 | import { VideoInstance } from '../../../models' | 20 | import { VideoInstance } from '../../../models' |
21 | import { VideoAbuseCreate } from '../../../../shared' | 21 | import { VideoAbuseCreate, UserRight } from '../../../../shared' |
22 | 22 | ||
23 | const abuseVideoRouter = express.Router() | 23 | const abuseVideoRouter = express.Router() |
24 | 24 | ||
25 | abuseVideoRouter.get('/abuse', | 25 | abuseVideoRouter.get('/abuse', |
26 | authenticate, | 26 | authenticate, |
27 | ensureIsAdmin, | 27 | ensureUserHasRight(UserRight.MANAGE_VIDEO_ABUSES), |
28 | paginationValidator, | 28 | paginationValidator, |
29 | videoAbusesSortValidator, | 29 | videoAbusesSortValidator, |
30 | setVideoAbusesSort, | 30 | setVideoAbusesSort, |
diff --git a/server/controllers/api/videos/blacklist.ts b/server/controllers/api/videos/blacklist.ts index 5a2c3fd80..be7cf6ea4 100644 --- a/server/controllers/api/videos/blacklist.ts +++ b/server/controllers/api/videos/blacklist.ts | |||
@@ -4,7 +4,7 @@ import { database as db } from '../../../initializers' | |||
4 | import { logger, getFormattedObjects } from '../../../helpers' | 4 | import { logger, getFormattedObjects } from '../../../helpers' |
5 | import { | 5 | import { |
6 | authenticate, | 6 | authenticate, |
7 | ensureIsAdmin, | 7 | ensureUserHasRight, |
8 | videosBlacklistAddValidator, | 8 | videosBlacklistAddValidator, |
9 | videosBlacklistRemoveValidator, | 9 | videosBlacklistRemoveValidator, |
10 | paginationValidator, | 10 | paginationValidator, |
@@ -14,20 +14,20 @@ import { | |||
14 | asyncMiddleware | 14 | asyncMiddleware |
15 | } from '../../../middlewares' | 15 | } from '../../../middlewares' |
16 | import { BlacklistedVideoInstance } from '../../../models' | 16 | import { BlacklistedVideoInstance } from '../../../models' |
17 | import { BlacklistedVideo } from '../../../../shared' | 17 | import { BlacklistedVideo, UserRight } from '../../../../shared' |
18 | 18 | ||
19 | const blacklistRouter = express.Router() | 19 | const blacklistRouter = express.Router() |
20 | 20 | ||
21 | blacklistRouter.post('/:videoId/blacklist', | 21 | blacklistRouter.post('/:videoId/blacklist', |
22 | authenticate, | 22 | authenticate, |
23 | ensureIsAdmin, | 23 | ensureUserHasRight(UserRight.MANAGE_VIDEO_BLACKLIST), |
24 | videosBlacklistAddValidator, | 24 | videosBlacklistAddValidator, |
25 | asyncMiddleware(addVideoToBlacklist) | 25 | asyncMiddleware(addVideoToBlacklist) |
26 | ) | 26 | ) |
27 | 27 | ||
28 | blacklistRouter.get('/blacklist', | 28 | blacklistRouter.get('/blacklist', |
29 | authenticate, | 29 | authenticate, |
30 | ensureIsAdmin, | 30 | ensureUserHasRight(UserRight.MANAGE_VIDEO_BLACKLIST), |
31 | paginationValidator, | 31 | paginationValidator, |
32 | blacklistSortValidator, | 32 | blacklistSortValidator, |
33 | setBlacklistSort, | 33 | setBlacklistSort, |
@@ -37,7 +37,7 @@ blacklistRouter.get('/blacklist', | |||
37 | 37 | ||
38 | blacklistRouter.delete('/:videoId/blacklist', | 38 | blacklistRouter.delete('/:videoId/blacklist', |
39 | authenticate, | 39 | authenticate, |
40 | ensureIsAdmin, | 40 | ensureUserHasRight(UserRight.MANAGE_VIDEO_BLACKLIST), |
41 | videosBlacklistRemoveValidator, | 41 | videosBlacklistRemoveValidator, |
42 | asyncMiddleware(removeVideoFromBlacklistController) | 42 | asyncMiddleware(removeVideoFromBlacklistController) |
43 | ) | 43 | ) |
diff --git a/server/helpers/custom-validators/users.ts b/server/helpers/custom-validators/users.ts index c180eccda..f423d6317 100644 --- a/server/helpers/custom-validators/users.ts +++ b/server/helpers/custom-validators/users.ts | |||
@@ -1,9 +1,8 @@ | |||
1 | import { values } from 'lodash' | ||
2 | import * as validator from 'validator' | 1 | import * as validator from 'validator' |
3 | import 'express-validator' | 2 | import 'express-validator' |
4 | 3 | ||
5 | import { exists } from './misc' | 4 | import { exists } from './misc' |
6 | import { CONSTRAINTS_FIELDS, USER_ROLES } from '../../initializers' | 5 | import { CONSTRAINTS_FIELDS } from '../../initializers' |
7 | import { UserRole } from '../../../shared' | 6 | import { UserRole } from '../../../shared' |
8 | 7 | ||
9 | const USERS_CONSTRAINTS_FIELDS = CONSTRAINTS_FIELDS.USERS | 8 | const USERS_CONSTRAINTS_FIELDS = CONSTRAINTS_FIELDS.USERS |
@@ -12,10 +11,6 @@ function isUserPasswordValid (value: string) { | |||
12 | return validator.isLength(value, USERS_CONSTRAINTS_FIELDS.PASSWORD) | 11 | return validator.isLength(value, USERS_CONSTRAINTS_FIELDS.PASSWORD) |
13 | } | 12 | } |
14 | 13 | ||
15 | function isUserRoleValid (value: string) { | ||
16 | return values(USER_ROLES).indexOf(value as UserRole) !== -1 | ||
17 | } | ||
18 | |||
19 | function isUserVideoQuotaValid (value: string) { | 14 | function isUserVideoQuotaValid (value: string) { |
20 | return exists(value) && validator.isInt(value + '', USERS_CONSTRAINTS_FIELDS.VIDEO_QUOTA) | 15 | return exists(value) && validator.isInt(value + '', USERS_CONSTRAINTS_FIELDS.VIDEO_QUOTA) |
21 | } | 16 | } |
@@ -30,6 +25,10 @@ function isUserDisplayNSFWValid (value: any) { | |||
30 | return typeof value === 'boolean' || (typeof value === 'string' && validator.isBoolean(value)) | 25 | return typeof value === 'boolean' || (typeof value === 'string' && validator.isBoolean(value)) |
31 | } | 26 | } |
32 | 27 | ||
28 | function isUserRoleValid (value: any) { | ||
29 | return exists(value) && validator.isInt('' + value) && UserRole[value] !== undefined | ||
30 | } | ||
31 | |||
33 | // --------------------------------------------------------------------------- | 32 | // --------------------------------------------------------------------------- |
34 | 33 | ||
35 | export { | 34 | export { |
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts index 1581a3195..6dc9737d2 100644 --- a/server/initializers/constants.ts +++ b/server/initializers/constants.ts | |||
@@ -5,7 +5,6 @@ import { join } from 'path' | |||
5 | import { root, isTestInstance } from '../helpers/core-utils' | 5 | import { root, isTestInstance } from '../helpers/core-utils' |
6 | 6 | ||
7 | import { | 7 | import { |
8 | UserRole, | ||
9 | VideoRateType, | 8 | VideoRateType, |
10 | RequestEndpoint, | 9 | RequestEndpoint, |
11 | RequestVideoEventType, | 10 | RequestVideoEventType, |
@@ -16,7 +15,7 @@ import { | |||
16 | 15 | ||
17 | // --------------------------------------------------------------------------- | 16 | // --------------------------------------------------------------------------- |
18 | 17 | ||
19 | const LAST_MIGRATION_VERSION = 80 | 18 | const LAST_MIGRATION_VERSION = 85 |
20 | 19 | ||
21 | // --------------------------------------------------------------------------- | 20 | // --------------------------------------------------------------------------- |
22 | 21 | ||
@@ -283,7 +282,6 @@ const JOB_STATES: { [ id: string ]: JobState } = { | |||
283 | } | 282 | } |
284 | // How many maximum jobs we fetch from the database per cycle | 283 | // How many maximum jobs we fetch from the database per cycle |
285 | const JOBS_FETCH_LIMIT_PER_CYCLE = 10 | 284 | const JOBS_FETCH_LIMIT_PER_CYCLE = 10 |
286 | const JOBS_CONCURRENCY = 1 | ||
287 | // 1 minutes | 285 | // 1 minutes |
288 | let JOBS_FETCHING_INTERVAL = 60000 | 286 | let JOBS_FETCHING_INTERVAL = 60000 |
289 | 287 | ||
@@ -334,13 +332,6 @@ const CACHE = { | |||
334 | 332 | ||
335 | // --------------------------------------------------------------------------- | 333 | // --------------------------------------------------------------------------- |
336 | 334 | ||
337 | const USER_ROLES: { [ id: string ]: UserRole } = { | ||
338 | ADMIN: 'admin', | ||
339 | USER: 'user' | ||
340 | } | ||
341 | |||
342 | // --------------------------------------------------------------------------- | ||
343 | |||
344 | const OPENGRAPH_AND_OEMBED_COMMENT = '<!-- open graph and oembed tags -->' | 335 | const OPENGRAPH_AND_OEMBED_COMMENT = '<!-- open graph and oembed tags -->' |
345 | 336 | ||
346 | // --------------------------------------------------------------------------- | 337 | // --------------------------------------------------------------------------- |
@@ -367,7 +358,6 @@ export { | |||
367 | EMBED_SIZE, | 358 | EMBED_SIZE, |
368 | FRIEND_SCORE, | 359 | FRIEND_SCORE, |
369 | JOB_STATES, | 360 | JOB_STATES, |
370 | JOBS_CONCURRENCY, | ||
371 | JOBS_FETCH_LIMIT_PER_CYCLE, | 361 | JOBS_FETCH_LIMIT_PER_CYCLE, |
372 | JOBS_FETCHING_INTERVAL, | 362 | JOBS_FETCHING_INTERVAL, |
373 | LAST_MIGRATION_VERSION, | 363 | LAST_MIGRATION_VERSION, |
@@ -401,7 +391,6 @@ export { | |||
401 | STATIC_MAX_AGE, | 391 | STATIC_MAX_AGE, |
402 | STATIC_PATHS, | 392 | STATIC_PATHS, |
403 | THUMBNAILS_SIZE, | 393 | THUMBNAILS_SIZE, |
404 | USER_ROLES, | ||
405 | VIDEO_CATEGORIES, | 394 | VIDEO_CATEGORIES, |
406 | VIDEO_LANGUAGES, | 395 | VIDEO_LANGUAGES, |
407 | VIDEO_LICENCES, | 396 | VIDEO_LICENCES, |
diff --git a/server/initializers/installer.ts b/server/initializers/installer.ts index 4c04290fc..077472341 100644 --- a/server/initializers/installer.ts +++ b/server/initializers/installer.ts | |||
@@ -2,10 +2,11 @@ import * as passwordGenerator from 'password-generator' | |||
2 | import * as Bluebird from 'bluebird' | 2 | import * as Bluebird from 'bluebird' |
3 | 3 | ||
4 | import { database as db } from './database' | 4 | import { database as db } from './database' |
5 | import { USER_ROLES, CONFIG, LAST_MIGRATION_VERSION, CACHE } from './constants' | 5 | import { CONFIG, LAST_MIGRATION_VERSION, CACHE } from './constants' |
6 | import { clientsExist, usersExist } from './checker' | 6 | import { clientsExist, usersExist } from './checker' |
7 | import { logger, createCertsIfNotExist, mkdirpPromise, rimrafPromise } from '../helpers' | 7 | import { logger, createCertsIfNotExist, mkdirpPromise, rimrafPromise } from '../helpers' |
8 | import { createUserAuthorAndChannel } from '../lib' | 8 | import { createUserAuthorAndChannel } from '../lib' |
9 | import { UserRole } from '../../shared' | ||
9 | 10 | ||
10 | async function installApplication () { | 11 | async function installApplication () { |
11 | await db.sequelize.sync() | 12 | await db.sequelize.sync() |
@@ -88,7 +89,7 @@ async function createOAuthAdminIfNotExist () { | |||
88 | logger.info('Creating the administrator.') | 89 | logger.info('Creating the administrator.') |
89 | 90 | ||
90 | const username = 'root' | 91 | const username = 'root' |
91 | const role = USER_ROLES.ADMIN | 92 | const role = UserRole.ADMINISTRATOR |
92 | const email = CONFIG.ADMIN.EMAIL | 93 | const email = CONFIG.ADMIN.EMAIL |
93 | let validatePassword = true | 94 | let validatePassword = true |
94 | let password = '' | 95 | let password = '' |
diff --git a/server/initializers/migrations/0085-user-role.ts b/server/initializers/migrations/0085-user-role.ts new file mode 100644 index 000000000..e67c5ca24 --- /dev/null +++ b/server/initializers/migrations/0085-user-role.ts | |||
@@ -0,0 +1,39 @@ | |||
1 | import * as Sequelize from 'sequelize' | ||
2 | import * as uuidv4 from 'uuid/v4' | ||
3 | |||
4 | async function up (utils: { | ||
5 | transaction: Sequelize.Transaction, | ||
6 | queryInterface: Sequelize.QueryInterface, | ||
7 | sequelize: Sequelize.Sequelize, | ||
8 | db: any | ||
9 | }): Promise<void> { | ||
10 | const q = utils.queryInterface | ||
11 | |||
12 | await q.renameColumn('Users', 'role', 'oldRole') | ||
13 | |||
14 | const data = { | ||
15 | type: Sequelize.INTEGER, | ||
16 | allowNull: true | ||
17 | } | ||
18 | await q.addColumn('Users', 'role', data) | ||
19 | |||
20 | let query = 'UPDATE "Users" SET "role" = 0 WHERE "oldRole" = \'admin\'' | ||
21 | await utils.sequelize.query(query) | ||
22 | |||
23 | query = 'UPDATE "Users" SET "role" = 2 WHERE "oldRole" = \'user\'' | ||
24 | await utils.sequelize.query(query) | ||
25 | |||
26 | data.allowNull = false | ||
27 | await q.changeColumn('Users', 'role', data) | ||
28 | |||
29 | await q.removeColumn('Users', 'oldRole') | ||
30 | } | ||
31 | |||
32 | function down (options) { | ||
33 | throw new Error('Not implemented.') | ||
34 | } | ||
35 | |||
36 | export { | ||
37 | up, | ||
38 | down | ||
39 | } | ||
diff --git a/server/middlewares/admin.ts b/server/middlewares/admin.ts deleted file mode 100644 index 812397352..000000000 --- a/server/middlewares/admin.ts +++ /dev/null | |||
@@ -1,20 +0,0 @@ | |||
1 | import 'express-validator' | ||
2 | import * as express from 'express' | ||
3 | |||
4 | import { logger } from '../helpers' | ||
5 | |||
6 | function ensureIsAdmin (req: express.Request, res: express.Response, next: express.NextFunction) { | ||
7 | const user = res.locals.oauth.token.user | ||
8 | if (user.isAdmin() === false) { | ||
9 | logger.info('A non admin user is trying to access to an admin content.') | ||
10 | return res.sendStatus(403) | ||
11 | } | ||
12 | |||
13 | return next() | ||
14 | } | ||
15 | |||
16 | // --------------------------------------------------------------------------- | ||
17 | |||
18 | export { | ||
19 | ensureIsAdmin | ||
20 | } | ||
diff --git a/server/middlewares/index.ts b/server/middlewares/index.ts index 0e2c850e1..cec3e0b2a 100644 --- a/server/middlewares/index.ts +++ b/server/middlewares/index.ts | |||
@@ -1,5 +1,4 @@ | |||
1 | export * from './validators' | 1 | export * from './validators' |
2 | export * from './admin' | ||
3 | export * from './async' | 2 | export * from './async' |
4 | export * from './oauth' | 3 | export * from './oauth' |
5 | export * from './pagination' | 4 | export * from './pagination' |
@@ -7,3 +6,4 @@ export * from './pods' | |||
7 | export * from './search' | 6 | export * from './search' |
8 | export * from './secure' | 7 | export * from './secure' |
9 | export * from './sort' | 8 | export * from './sort' |
9 | export * from './user-right' | ||
diff --git a/server/middlewares/user-right.ts b/server/middlewares/user-right.ts new file mode 100644 index 000000000..bcebe9d7f --- /dev/null +++ b/server/middlewares/user-right.ts | |||
@@ -0,0 +1,24 @@ | |||
1 | import 'express-validator' | ||
2 | import * as express from 'express' | ||
3 | |||
4 | import { UserInstance } from '../models' | ||
5 | import { UserRight } from '../../shared' | ||
6 | import { logger } from '../helpers' | ||
7 | |||
8 | function ensureUserHasRight (userRight: UserRight) { | ||
9 | return function (req: express.Request, res: express.Response, next: express.NextFunction) { | ||
10 | const user: UserInstance = res.locals.oauth.token.user | ||
11 | if (user.hasRight(userRight) === false) { | ||
12 | logger.info('User %s does not have right %s to access to %s.', user.username, UserRight[userRight], req.path) | ||
13 | return res.sendStatus(403) | ||
14 | } | ||
15 | |||
16 | return next() | ||
17 | } | ||
18 | } | ||
19 | |||
20 | // --------------------------------------------------------------------------- | ||
21 | |||
22 | export { | ||
23 | ensureUserHasRight | ||
24 | } | ||
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index 1a33cfd8c..0b463acc0 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts | |||
@@ -13,7 +13,8 @@ import { | |||
13 | isUserPasswordValid, | 13 | isUserPasswordValid, |
14 | isUserVideoQuotaValid, | 14 | isUserVideoQuotaValid, |
15 | isUserDisplayNSFWValid, | 15 | isUserDisplayNSFWValid, |
16 | isIdOrUUIDValid | 16 | isIdOrUUIDValid, |
17 | isUserRoleValid | ||
17 | } from '../../helpers' | 18 | } from '../../helpers' |
18 | import { UserInstance, VideoInstance } from '../../models' | 19 | import { UserInstance, VideoInstance } from '../../models' |
19 | 20 | ||
@@ -22,6 +23,7 @@ const usersAddValidator = [ | |||
22 | body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'), | 23 | body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'), |
23 | body('email').isEmail().withMessage('Should have a valid email'), | 24 | body('email').isEmail().withMessage('Should have a valid email'), |
24 | body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'), | 25 | body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'), |
26 | body('role').custom(isUserRoleValid).withMessage('Should have a valid role'), | ||
25 | 27 | ||
26 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | 28 | (req: express.Request, res: express.Response, next: express.NextFunction) => { |
27 | logger.debug('Checking usersAdd parameters', { parameters: req.body }) | 29 | logger.debug('Checking usersAdd parameters', { parameters: req.body }) |
@@ -75,6 +77,7 @@ const usersUpdateValidator = [ | |||
75 | param('id').isInt().not().isEmpty().withMessage('Should have a valid id'), | 77 | param('id').isInt().not().isEmpty().withMessage('Should have a valid id'), |
76 | body('email').optional().isEmail().withMessage('Should have a valid email attribute'), | 78 | body('email').optional().isEmail().withMessage('Should have a valid email attribute'), |
77 | body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'), | 79 | body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'), |
80 | body('role').optional().custom(isUserRoleValid).withMessage('Should have a valid role'), | ||
78 | 81 | ||
79 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | 82 | (req: express.Request, res: express.Response, next: express.NextFunction) => { |
80 | logger.debug('Checking usersUpdate parameters', { parameters: req.body }) | 83 | logger.debug('Checking usersUpdate parameters', { parameters: req.body }) |
diff --git a/server/middlewares/validators/video-channels.ts b/server/middlewares/validators/video-channels.ts index 979fbd34a..7d611728b 100644 --- a/server/middlewares/validators/video-channels.ts +++ b/server/middlewares/validators/video-channels.ts | |||
@@ -11,6 +11,8 @@ import { | |||
11 | checkVideoChannelExists, | 11 | checkVideoChannelExists, |
12 | checkVideoAuthorExists | 12 | checkVideoAuthorExists |
13 | } from '../../helpers' | 13 | } from '../../helpers' |
14 | import { UserInstance } from '../../models' | ||
15 | import { UserRight } from '../../../shared' | ||
14 | 16 | ||
15 | const listVideoAuthorChannelsValidator = [ | 17 | const listVideoAuthorChannelsValidator = [ |
16 | param('authorId').custom(isIdOrUUIDValid).withMessage('Should have a valid author id'), | 18 | param('authorId').custom(isIdOrUUIDValid).withMessage('Should have a valid author id'), |
@@ -106,7 +108,7 @@ export { | |||
106 | // --------------------------------------------------------------------------- | 108 | // --------------------------------------------------------------------------- |
107 | 109 | ||
108 | function checkUserCanDeleteVideoChannel (res: express.Response, callback: () => void) { | 110 | function checkUserCanDeleteVideoChannel (res: express.Response, callback: () => void) { |
109 | const user = res.locals.oauth.token.User | 111 | const user: UserInstance = res.locals.oauth.token.User |
110 | 112 | ||
111 | // Retrieve the user who did the request | 113 | // Retrieve the user who did the request |
112 | if (res.locals.videoChannel.isOwned() === false) { | 114 | if (res.locals.videoChannel.isOwned() === false) { |
@@ -118,7 +120,7 @@ function checkUserCanDeleteVideoChannel (res: express.Response, callback: () => | |||
118 | // Check if the user can delete the video channel | 120 | // Check if the user can delete the video channel |
119 | // The user can delete it if s/he is an admin | 121 | // The user can delete it if s/he is an admin |
120 | // Or if s/he is the video channel's author | 122 | // Or if s/he is the video channel's author |
121 | if (user.isAdmin() === false && res.locals.videoChannel.Author.userId !== user.id) { | 123 | if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_CHANNEL) === false && res.locals.videoChannel.Author.userId !== user.id) { |
122 | return res.status(403) | 124 | return res.status(403) |
123 | .json({ error: 'Cannot remove video channel of another user' }) | 125 | .json({ error: 'Cannot remove video channel of another user' }) |
124 | .end() | 126 | .end() |
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index a032d14ce..0c07404c5 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts | |||
@@ -22,6 +22,7 @@ import { | |||
22 | checkVideoExists, | 22 | checkVideoExists, |
23 | isIdValid | 23 | isIdValid |
24 | } from '../../helpers' | 24 | } from '../../helpers' |
25 | import { UserRight } from '../../../shared' | ||
25 | 26 | ||
26 | const videosAddValidator = [ | 27 | const videosAddValidator = [ |
27 | body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage( | 28 | body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage( |
@@ -231,7 +232,7 @@ function checkUserCanDeleteVideo (userId: number, res: express.Response, callbac | |||
231 | // Check if the user can delete the video | 232 | // Check if the user can delete the video |
232 | // The user can delete it if s/he is an admin | 233 | // The user can delete it if s/he is an admin |
233 | // Or if s/he is the video's author | 234 | // Or if s/he is the video's author |
234 | if (user.isAdmin() === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { | 235 | if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { |
235 | return res.status(403) | 236 | return res.status(403) |
236 | .json({ error: 'Cannot remove video of another user' }) | 237 | .json({ error: 'Cannot remove video of another user' }) |
237 | .end() | 238 | .end() |
diff --git a/server/models/user/user-interface.ts b/server/models/user/user-interface.ts index 1b5233eaf..49c75aa3b 100644 --- a/server/models/user/user-interface.ts +++ b/server/models/user/user-interface.ts | |||
@@ -3,15 +3,16 @@ import * as Promise from 'bluebird' | |||
3 | 3 | ||
4 | // Don't use barrel, import just what we need | 4 | // Don't use barrel, import just what we need |
5 | import { User as FormattedUser } from '../../../shared/models/users/user.model' | 5 | import { User as FormattedUser } from '../../../shared/models/users/user.model' |
6 | import { UserRole } from '../../../shared/models/users/user-role.type' | ||
7 | import { ResultList } from '../../../shared/models/result-list.model' | 6 | import { ResultList } from '../../../shared/models/result-list.model' |
8 | import { AuthorInstance } from '../video/author-interface' | 7 | import { AuthorInstance } from '../video/author-interface' |
8 | import { UserRight } from '../../../shared/models/users/user-right.enum' | ||
9 | import { UserRole } from '../../../shared/models/users/user-role' | ||
9 | 10 | ||
10 | export namespace UserMethods { | 11 | export namespace UserMethods { |
12 | export type HasRight = (this: UserInstance, right: UserRight) => boolean | ||
11 | export type IsPasswordMatch = (this: UserInstance, password: string) => Promise<boolean> | 13 | export type IsPasswordMatch = (this: UserInstance, password: string) => Promise<boolean> |
12 | 14 | ||
13 | export type ToFormattedJSON = (this: UserInstance) => FormattedUser | 15 | export type ToFormattedJSON = (this: UserInstance) => FormattedUser |
14 | export type IsAdmin = (this: UserInstance) => boolean | ||
15 | export type IsAbleToUploadVideo = (this: UserInstance, videoFile: Express.Multer.File) => Promise<boolean> | 16 | export type IsAbleToUploadVideo = (this: UserInstance, videoFile: Express.Multer.File) => Promise<boolean> |
16 | 17 | ||
17 | export type CountTotal = () => Promise<number> | 18 | export type CountTotal = () => Promise<number> |
@@ -31,7 +32,7 @@ export namespace UserMethods { | |||
31 | export interface UserClass { | 32 | export interface UserClass { |
32 | isPasswordMatch: UserMethods.IsPasswordMatch, | 33 | isPasswordMatch: UserMethods.IsPasswordMatch, |
33 | toFormattedJSON: UserMethods.ToFormattedJSON, | 34 | toFormattedJSON: UserMethods.ToFormattedJSON, |
34 | isAdmin: UserMethods.IsAdmin, | 35 | hasRight: UserMethods.HasRight, |
35 | isAbleToUploadVideo: UserMethods.IsAbleToUploadVideo, | 36 | isAbleToUploadVideo: UserMethods.IsAbleToUploadVideo, |
36 | 37 | ||
37 | countTotal: UserMethods.CountTotal, | 38 | countTotal: UserMethods.CountTotal, |
@@ -62,7 +63,7 @@ export interface UserInstance extends UserClass, UserAttributes, Sequelize.Insta | |||
62 | 63 | ||
63 | isPasswordMatch: UserMethods.IsPasswordMatch | 64 | isPasswordMatch: UserMethods.IsPasswordMatch |
64 | toFormattedJSON: UserMethods.ToFormattedJSON | 65 | toFormattedJSON: UserMethods.ToFormattedJSON |
65 | isAdmin: UserMethods.IsAdmin | 66 | hasRight: UserMethods.HasRight |
66 | } | 67 | } |
67 | 68 | ||
68 | export interface UserModel extends UserClass, Sequelize.Model<UserInstance, UserAttributes> {} | 69 | export interface UserModel extends UserClass, Sequelize.Model<UserInstance, UserAttributes> {} |
diff --git a/server/models/user/user.ts b/server/models/user/user.ts index 074c9c121..3c625e450 100644 --- a/server/models/user/user.ts +++ b/server/models/user/user.ts | |||
@@ -1,17 +1,17 @@ | |||
1 | import { values } from 'lodash' | ||
2 | import * as Sequelize from 'sequelize' | 1 | import * as Sequelize from 'sequelize' |
3 | import * as Promise from 'bluebird' | 2 | import * as Promise from 'bluebird' |
4 | 3 | ||
5 | import { getSort } from '../utils' | 4 | import { getSort } from '../utils' |
6 | import { USER_ROLES } from '../../initializers' | ||
7 | import { | 5 | import { |
8 | cryptPassword, | 6 | cryptPassword, |
9 | comparePassword, | 7 | comparePassword, |
10 | isUserPasswordValid, | 8 | isUserPasswordValid, |
11 | isUserUsernameValid, | 9 | isUserUsernameValid, |
12 | isUserDisplayNSFWValid, | 10 | isUserDisplayNSFWValid, |
13 | isUserVideoQuotaValid | 11 | isUserVideoQuotaValid, |
12 | isUserRoleValid | ||
14 | } from '../../helpers' | 13 | } from '../../helpers' |
14 | import { UserRight, USER_ROLE_LABELS, hasUserRight } from '../../../shared' | ||
15 | 15 | ||
16 | import { addMethodsToModel } from '../utils' | 16 | import { addMethodsToModel } from '../utils' |
17 | import { | 17 | import { |
@@ -23,8 +23,8 @@ import { | |||
23 | 23 | ||
24 | let User: Sequelize.Model<UserInstance, UserAttributes> | 24 | let User: Sequelize.Model<UserInstance, UserAttributes> |
25 | let isPasswordMatch: UserMethods.IsPasswordMatch | 25 | let isPasswordMatch: UserMethods.IsPasswordMatch |
26 | let hasRight: UserMethods.HasRight | ||
26 | let toFormattedJSON: UserMethods.ToFormattedJSON | 27 | let toFormattedJSON: UserMethods.ToFormattedJSON |
27 | let isAdmin: UserMethods.IsAdmin | ||
28 | let countTotal: UserMethods.CountTotal | 28 | let countTotal: UserMethods.CountTotal |
29 | let getByUsername: UserMethods.GetByUsername | 29 | let getByUsername: UserMethods.GetByUsername |
30 | let listForApi: UserMethods.ListForApi | 30 | let listForApi: UserMethods.ListForApi |
@@ -76,8 +76,14 @@ export default function (sequelize: Sequelize.Sequelize, DataTypes: Sequelize.Da | |||
76 | } | 76 | } |
77 | }, | 77 | }, |
78 | role: { | 78 | role: { |
79 | type: DataTypes.ENUM(values(USER_ROLES)), | 79 | type: DataTypes.INTEGER, |
80 | allowNull: false | 80 | allowNull: false, |
81 | validate: { | ||
82 | roleValid: value => { | ||
83 | const res = isUserRoleValid(value) | ||
84 | if (res === false) throw new Error('Role is not valid.') | ||
85 | } | ||
86 | } | ||
81 | }, | 87 | }, |
82 | videoQuota: { | 88 | videoQuota: { |
83 | type: DataTypes.BIGINT, | 89 | type: DataTypes.BIGINT, |
@@ -120,9 +126,9 @@ export default function (sequelize: Sequelize.Sequelize, DataTypes: Sequelize.Da | |||
120 | loadByUsernameOrEmail | 126 | loadByUsernameOrEmail |
121 | ] | 127 | ] |
122 | const instanceMethods = [ | 128 | const instanceMethods = [ |
129 | hasRight, | ||
123 | isPasswordMatch, | 130 | isPasswordMatch, |
124 | toFormattedJSON, | 131 | toFormattedJSON, |
125 | isAdmin, | ||
126 | isAbleToUploadVideo | 132 | isAbleToUploadVideo |
127 | ] | 133 | ] |
128 | addMethodsToModel(User, classMethods, instanceMethods) | 134 | addMethodsToModel(User, classMethods, instanceMethods) |
@@ -139,6 +145,10 @@ function beforeCreateOrUpdate (user: UserInstance) { | |||
139 | 145 | ||
140 | // ------------------------------ METHODS ------------------------------ | 146 | // ------------------------------ METHODS ------------------------------ |
141 | 147 | ||
148 | hasRight = function (this: UserInstance, right: UserRight) { | ||
149 | return hasUserRight(this.role, right) | ||
150 | } | ||
151 | |||
142 | isPasswordMatch = function (this: UserInstance, password: string) { | 152 | isPasswordMatch = function (this: UserInstance, password: string) { |
143 | return comparePassword(password, this.password) | 153 | return comparePassword(password, this.password) |
144 | } | 154 | } |
@@ -150,6 +160,7 @@ toFormattedJSON = function (this: UserInstance) { | |||
150 | email: this.email, | 160 | email: this.email, |
151 | displayNSFW: this.displayNSFW, | 161 | displayNSFW: this.displayNSFW, |
152 | role: this.role, | 162 | role: this.role, |
163 | roleLabel: USER_ROLE_LABELS[this.role], | ||
153 | videoQuota: this.videoQuota, | 164 | videoQuota: this.videoQuota, |
154 | createdAt: this.createdAt, | 165 | createdAt: this.createdAt, |
155 | author: { | 166 | author: { |
@@ -174,10 +185,6 @@ toFormattedJSON = function (this: UserInstance) { | |||
174 | return json | 185 | return json |
175 | } | 186 | } |
176 | 187 | ||
177 | isAdmin = function (this: UserInstance) { | ||
178 | return this.role === USER_ROLES.ADMIN | ||
179 | } | ||
180 | |||
181 | isAbleToUploadVideo = function (this: UserInstance, videoFile: Express.Multer.File) { | 188 | isAbleToUploadVideo = function (this: UserInstance, videoFile: Express.Multer.File) { |
182 | if (this.videoQuota === -1) return Promise.resolve(true) | 189 | if (this.videoQuota === -1) return Promise.resolve(true) |
183 | 190 | ||