diff options
author | Chocobozzz <me@florianbigard.com> | 2022-09-07 17:18:29 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-09-08 08:41:48 +0200 |
commit | d4d9bbc6f24522f5d63b0ab105a02f80ca98d702 (patch) | |
tree | 9e7e5e5170cea36a489f6c988df892a34c886937 /server | |
parent | 8b69f9f02879ee3cf72bc9d4aa96cc71f18e6eea (diff) | |
download | PeerTube-d4d9bbc6f24522f5d63b0ab105a02f80ca98d702.tar.gz PeerTube-d4d9bbc6f24522f5d63b0ab105a02f80ca98d702.tar.zst PeerTube-d4d9bbc6f24522f5d63b0ab105a02f80ca98d702.zip |
Fix channel sync right check
Diffstat (limited to 'server')
-rw-r--r-- | server/controllers/api/accounts.ts | 6 | ||||
-rw-r--r-- | server/controllers/api/users/index.ts | 10 | ||||
-rw-r--r-- | server/controllers/api/video-channel-sync.ts | 6 | ||||
-rw-r--r-- | server/controllers/api/video-channel.ts | 18 | ||||
-rw-r--r-- | server/middlewares/validators/users.ts | 15 |
5 files changed, 28 insertions, 27 deletions
diff --git a/server/controllers/api/accounts.ts b/server/controllers/api/accounts.ts index 7a530cde5..2d86d393c 100644 --- a/server/controllers/api/accounts.ts +++ b/server/controllers/api/accounts.ts | |||
@@ -3,6 +3,7 @@ import { pickCommonVideoQuery } from '@server/helpers/query' | |||
3 | import { ActorFollowModel } from '@server/models/actor/actor-follow' | 3 | import { ActorFollowModel } from '@server/models/actor/actor-follow' |
4 | import { getServerActor } from '@server/models/application/application' | 4 | import { getServerActor } from '@server/models/application/application' |
5 | import { guessAdditionalAttributesFromQuery } from '@server/models/video/formatter/video-format-utils' | 5 | import { guessAdditionalAttributesFromQuery } from '@server/models/video/formatter/video-format-utils' |
6 | import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync' | ||
6 | import { buildNSFWFilter, getCountVideos, isUserAbleToSearchRemoteURI } from '../../helpers/express-utils' | 7 | import { buildNSFWFilter, getCountVideos, isUserAbleToSearchRemoteURI } from '../../helpers/express-utils' |
7 | import { getFormattedObjects } from '../../helpers/utils' | 8 | import { getFormattedObjects } from '../../helpers/utils' |
8 | import { JobQueue } from '../../lib/job-queue' | 9 | import { JobQueue } from '../../lib/job-queue' |
@@ -25,7 +26,7 @@ import { | |||
25 | accountsFollowersSortValidator, | 26 | accountsFollowersSortValidator, |
26 | accountsSortValidator, | 27 | accountsSortValidator, |
27 | ensureAuthUserOwnsAccountValidator, | 28 | ensureAuthUserOwnsAccountValidator, |
28 | ensureCanManageUser, | 29 | ensureCanManageChannelOrAccount, |
29 | videoChannelsSortValidator, | 30 | videoChannelsSortValidator, |
30 | videoChannelStatsValidator, | 31 | videoChannelStatsValidator, |
31 | videoChannelSyncsSortValidator, | 32 | videoChannelSyncsSortValidator, |
@@ -37,7 +38,6 @@ import { AccountVideoRateModel } from '../../models/account/account-video-rate' | |||
37 | import { VideoModel } from '../../models/video/video' | 38 | import { VideoModel } from '../../models/video/video' |
38 | import { VideoChannelModel } from '../../models/video/video-channel' | 39 | import { VideoChannelModel } from '../../models/video/video-channel' |
39 | import { VideoPlaylistModel } from '../../models/video/video-playlist' | 40 | import { VideoPlaylistModel } from '../../models/video/video-playlist' |
40 | import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync' | ||
41 | 41 | ||
42 | const accountsRouter = express.Router() | 42 | const accountsRouter = express.Router() |
43 | 43 | ||
@@ -78,7 +78,7 @@ accountsRouter.get('/:accountName/video-channels', | |||
78 | accountsRouter.get('/:accountName/video-channel-syncs', | 78 | accountsRouter.get('/:accountName/video-channel-syncs', |
79 | authenticate, | 79 | authenticate, |
80 | asyncMiddleware(accountNameWithHostGetValidator), | 80 | asyncMiddleware(accountNameWithHostGetValidator), |
81 | ensureCanManageUser, | 81 | ensureCanManageChannelOrAccount, |
82 | paginationValidator, | 82 | paginationValidator, |
83 | videoChannelSyncsSortValidator, | 83 | videoChannelSyncsSortValidator, |
84 | setDefaultSort, | 84 | setDefaultSort, |
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts index 7761ba602..0b27d5277 100644 --- a/server/controllers/api/users/index.ts +++ b/server/controllers/api/users/index.ts | |||
@@ -36,7 +36,7 @@ import { | |||
36 | usersUpdateValidator | 36 | usersUpdateValidator |
37 | } from '../../../middlewares' | 37 | } from '../../../middlewares' |
38 | import { | 38 | import { |
39 | ensureCanManageUser, | 39 | ensureCanModerateUser, |
40 | usersAskResetPasswordValidator, | 40 | usersAskResetPasswordValidator, |
41 | usersAskSendVerifyEmailValidator, | 41 | usersAskSendVerifyEmailValidator, |
42 | usersBlockingValidator, | 42 | usersBlockingValidator, |
@@ -95,14 +95,14 @@ usersRouter.post('/:id/block', | |||
95 | authenticate, | 95 | authenticate, |
96 | ensureUserHasRight(UserRight.MANAGE_USERS), | 96 | ensureUserHasRight(UserRight.MANAGE_USERS), |
97 | asyncMiddleware(usersBlockingValidator), | 97 | asyncMiddleware(usersBlockingValidator), |
98 | ensureCanManageUser, | 98 | ensureCanModerateUser, |
99 | asyncMiddleware(blockUser) | 99 | asyncMiddleware(blockUser) |
100 | ) | 100 | ) |
101 | usersRouter.post('/:id/unblock', | 101 | usersRouter.post('/:id/unblock', |
102 | authenticate, | 102 | authenticate, |
103 | ensureUserHasRight(UserRight.MANAGE_USERS), | 103 | ensureUserHasRight(UserRight.MANAGE_USERS), |
104 | asyncMiddleware(usersBlockingValidator), | 104 | asyncMiddleware(usersBlockingValidator), |
105 | ensureCanManageUser, | 105 | ensureCanModerateUser, |
106 | asyncMiddleware(unblockUser) | 106 | asyncMiddleware(unblockUser) |
107 | ) | 107 | ) |
108 | 108 | ||
@@ -132,7 +132,7 @@ usersRouter.put('/:id', | |||
132 | authenticate, | 132 | authenticate, |
133 | ensureUserHasRight(UserRight.MANAGE_USERS), | 133 | ensureUserHasRight(UserRight.MANAGE_USERS), |
134 | asyncMiddleware(usersUpdateValidator), | 134 | asyncMiddleware(usersUpdateValidator), |
135 | ensureCanManageUser, | 135 | ensureCanModerateUser, |
136 | asyncMiddleware(updateUser) | 136 | asyncMiddleware(updateUser) |
137 | ) | 137 | ) |
138 | 138 | ||
@@ -140,7 +140,7 @@ usersRouter.delete('/:id', | |||
140 | authenticate, | 140 | authenticate, |
141 | ensureUserHasRight(UserRight.MANAGE_USERS), | 141 | ensureUserHasRight(UserRight.MANAGE_USERS), |
142 | asyncMiddleware(usersRemoveValidator), | 142 | asyncMiddleware(usersRemoveValidator), |
143 | ensureCanManageUser, | 143 | ensureCanModerateUser, |
144 | asyncMiddleware(removeUser) | 144 | asyncMiddleware(removeUser) |
145 | ) | 145 | ) |
146 | 146 | ||
diff --git a/server/controllers/api/video-channel-sync.ts b/server/controllers/api/video-channel-sync.ts index c2770b8e4..03c54b59c 100644 --- a/server/controllers/api/video-channel-sync.ts +++ b/server/controllers/api/video-channel-sync.ts | |||
@@ -5,7 +5,7 @@ import { | |||
5 | asyncMiddleware, | 5 | asyncMiddleware, |
6 | asyncRetryTransactionMiddleware, | 6 | asyncRetryTransactionMiddleware, |
7 | authenticate, | 7 | authenticate, |
8 | ensureCanManageChannel as ensureCanManageSyncedChannel, | 8 | ensureCanManageChannelOrAccount, |
9 | ensureSyncExists, | 9 | ensureSyncExists, |
10 | ensureSyncIsEnabled, | 10 | ensureSyncIsEnabled, |
11 | videoChannelSyncValidator | 11 | videoChannelSyncValidator |
@@ -21,14 +21,14 @@ videoChannelSyncRouter.post('/', | |||
21 | authenticate, | 21 | authenticate, |
22 | ensureSyncIsEnabled, | 22 | ensureSyncIsEnabled, |
23 | asyncMiddleware(videoChannelSyncValidator), | 23 | asyncMiddleware(videoChannelSyncValidator), |
24 | ensureCanManageSyncedChannel, | 24 | ensureCanManageChannelOrAccount, |
25 | asyncRetryTransactionMiddleware(createVideoChannelSync) | 25 | asyncRetryTransactionMiddleware(createVideoChannelSync) |
26 | ) | 26 | ) |
27 | 27 | ||
28 | videoChannelSyncRouter.delete('/:id', | 28 | videoChannelSyncRouter.delete('/:id', |
29 | authenticate, | 29 | authenticate, |
30 | asyncMiddleware(ensureSyncExists), | 30 | asyncMiddleware(ensureSyncExists), |
31 | ensureCanManageSyncedChannel, | 31 | ensureCanManageChannelOrAccount, |
32 | asyncRetryTransactionMiddleware(removeVideoChannelSync) | 32 | asyncRetryTransactionMiddleware(removeVideoChannelSync) |
33 | ) | 33 | ) |
34 | 34 | ||
diff --git a/server/controllers/api/video-channel.ts b/server/controllers/api/video-channel.ts index 94285a78d..d7c92952a 100644 --- a/server/controllers/api/video-channel.ts +++ b/server/controllers/api/video-channel.ts | |||
@@ -23,7 +23,7 @@ import { | |||
23 | asyncRetryTransactionMiddleware, | 23 | asyncRetryTransactionMiddleware, |
24 | authenticate, | 24 | authenticate, |
25 | commonVideosFiltersValidator, | 25 | commonVideosFiltersValidator, |
26 | ensureCanManageChannel, | 26 | ensureCanManageChannelOrAccount, |
27 | optionalAuthenticate, | 27 | optionalAuthenticate, |
28 | paginationValidator, | 28 | paginationValidator, |
29 | setDefaultPagination, | 29 | setDefaultPagination, |
@@ -77,7 +77,7 @@ videoChannelRouter.post('/:nameWithHost/avatar/pick', | |||
77 | reqAvatarFile, | 77 | reqAvatarFile, |
78 | asyncMiddleware(videoChannelsNameWithHostValidator), | 78 | asyncMiddleware(videoChannelsNameWithHostValidator), |
79 | ensureIsLocalChannel, | 79 | ensureIsLocalChannel, |
80 | ensureCanManageChannel, | 80 | ensureCanManageChannelOrAccount, |
81 | updateAvatarValidator, | 81 | updateAvatarValidator, |
82 | asyncMiddleware(updateVideoChannelAvatar) | 82 | asyncMiddleware(updateVideoChannelAvatar) |
83 | ) | 83 | ) |
@@ -87,7 +87,7 @@ videoChannelRouter.post('/:nameWithHost/banner/pick', | |||
87 | reqBannerFile, | 87 | reqBannerFile, |
88 | asyncMiddleware(videoChannelsNameWithHostValidator), | 88 | asyncMiddleware(videoChannelsNameWithHostValidator), |
89 | ensureIsLocalChannel, | 89 | ensureIsLocalChannel, |
90 | ensureCanManageChannel, | 90 | ensureCanManageChannelOrAccount, |
91 | updateBannerValidator, | 91 | updateBannerValidator, |
92 | asyncMiddleware(updateVideoChannelBanner) | 92 | asyncMiddleware(updateVideoChannelBanner) |
93 | ) | 93 | ) |
@@ -96,7 +96,7 @@ videoChannelRouter.delete('/:nameWithHost/avatar', | |||
96 | authenticate, | 96 | authenticate, |
97 | asyncMiddleware(videoChannelsNameWithHostValidator), | 97 | asyncMiddleware(videoChannelsNameWithHostValidator), |
98 | ensureIsLocalChannel, | 98 | ensureIsLocalChannel, |
99 | ensureCanManageChannel, | 99 | ensureCanManageChannelOrAccount, |
100 | asyncMiddleware(deleteVideoChannelAvatar) | 100 | asyncMiddleware(deleteVideoChannelAvatar) |
101 | ) | 101 | ) |
102 | 102 | ||
@@ -104,7 +104,7 @@ videoChannelRouter.delete('/:nameWithHost/banner', | |||
104 | authenticate, | 104 | authenticate, |
105 | asyncMiddleware(videoChannelsNameWithHostValidator), | 105 | asyncMiddleware(videoChannelsNameWithHostValidator), |
106 | ensureIsLocalChannel, | 106 | ensureIsLocalChannel, |
107 | ensureCanManageChannel, | 107 | ensureCanManageChannelOrAccount, |
108 | asyncMiddleware(deleteVideoChannelBanner) | 108 | asyncMiddleware(deleteVideoChannelBanner) |
109 | ) | 109 | ) |
110 | 110 | ||
@@ -112,7 +112,7 @@ videoChannelRouter.put('/:nameWithHost', | |||
112 | authenticate, | 112 | authenticate, |
113 | asyncMiddleware(videoChannelsNameWithHostValidator), | 113 | asyncMiddleware(videoChannelsNameWithHostValidator), |
114 | ensureIsLocalChannel, | 114 | ensureIsLocalChannel, |
115 | ensureCanManageChannel, | 115 | ensureCanManageChannelOrAccount, |
116 | videoChannelsUpdateValidator, | 116 | videoChannelsUpdateValidator, |
117 | asyncRetryTransactionMiddleware(updateVideoChannel) | 117 | asyncRetryTransactionMiddleware(updateVideoChannel) |
118 | ) | 118 | ) |
@@ -121,7 +121,7 @@ videoChannelRouter.delete('/:nameWithHost', | |||
121 | authenticate, | 121 | authenticate, |
122 | asyncMiddleware(videoChannelsNameWithHostValidator), | 122 | asyncMiddleware(videoChannelsNameWithHostValidator), |
123 | ensureIsLocalChannel, | 123 | ensureIsLocalChannel, |
124 | ensureCanManageChannel, | 124 | ensureCanManageChannelOrAccount, |
125 | asyncMiddleware(videoChannelsRemoveValidator), | 125 | asyncMiddleware(videoChannelsRemoveValidator), |
126 | asyncRetryTransactionMiddleware(removeVideoChannel) | 126 | asyncRetryTransactionMiddleware(removeVideoChannel) |
127 | ) | 127 | ) |
@@ -155,7 +155,7 @@ videoChannelRouter.get('/:nameWithHost/videos', | |||
155 | videoChannelRouter.get('/:nameWithHost/followers', | 155 | videoChannelRouter.get('/:nameWithHost/followers', |
156 | authenticate, | 156 | authenticate, |
157 | asyncMiddleware(videoChannelsNameWithHostValidator), | 157 | asyncMiddleware(videoChannelsNameWithHostValidator), |
158 | ensureCanManageChannel, | 158 | ensureCanManageChannelOrAccount, |
159 | paginationValidator, | 159 | paginationValidator, |
160 | videoChannelsFollowersSortValidator, | 160 | videoChannelsFollowersSortValidator, |
161 | setDefaultSort, | 161 | setDefaultSort, |
@@ -168,7 +168,7 @@ videoChannelRouter.post('/:nameWithHost/import-videos', | |||
168 | asyncMiddleware(videoChannelsNameWithHostValidator), | 168 | asyncMiddleware(videoChannelsNameWithHostValidator), |
169 | asyncMiddleware(videoChannelImportVideosValidator), | 169 | asyncMiddleware(videoChannelImportVideosValidator), |
170 | ensureIsLocalChannel, | 170 | ensureIsLocalChannel, |
171 | ensureCanManageChannel, | 171 | ensureCanManageChannelOrAccount, |
172 | asyncMiddleware(ensureChannelOwnerCanUpload), | 172 | asyncMiddleware(ensureChannelOwnerCanUpload), |
173 | asyncMiddleware(importVideosInChannel) | 173 | asyncMiddleware(importVideosInChannel) |
174 | ) | 174 | ) |
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index 282034f6d..2de5265fb 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts | |||
@@ -507,13 +507,14 @@ const ensureAuthUserOwnsAccountValidator = [ | |||
507 | } | 507 | } |
508 | ] | 508 | ] |
509 | 509 | ||
510 | const ensureCanManageChannel = [ | 510 | const ensureCanManageChannelOrAccount = [ |
511 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | 511 | (req: express.Request, res: express.Response, next: express.NextFunction) => { |
512 | const user = res.locals.oauth.token.user | 512 | const user = res.locals.oauth.token.user |
513 | const isUserOwner = res.locals.videoChannel.Account.userId === user.id | 513 | const account = res.locals.videoChannel?.Account ?? res.locals.account |
514 | const isUserOwner = account.userId === user.id | ||
514 | 515 | ||
515 | if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) { | 516 | if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) { |
516 | const message = `User ${user.username} does not have right to manage channel ${req.params.nameWithHost}.` | 517 | const message = `User ${user.username} does not have right this channel or account.` |
517 | 518 | ||
518 | return res.fail({ | 519 | return res.fail({ |
519 | status: HttpStatusCode.FORBIDDEN_403, | 520 | status: HttpStatusCode.FORBIDDEN_403, |
@@ -525,7 +526,7 @@ const ensureCanManageChannel = [ | |||
525 | } | 526 | } |
526 | ] | 527 | ] |
527 | 528 | ||
528 | const ensureCanManageUser = [ | 529 | const ensureCanModerateUser = [ |
529 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | 530 | (req: express.Request, res: express.Response, next: express.NextFunction) => { |
530 | const authUser = res.locals.oauth.token.User | 531 | const authUser = res.locals.oauth.token.User |
531 | const onUser = res.locals.user | 532 | const onUser = res.locals.user |
@@ -535,7 +536,7 @@ const ensureCanManageUser = [ | |||
535 | 536 | ||
536 | return res.fail({ | 537 | return res.fail({ |
537 | status: HttpStatusCode.FORBIDDEN_403, | 538 | status: HttpStatusCode.FORBIDDEN_403, |
538 | message: 'A moderator can only manager users.' | 539 | message: 'A moderator can only manage users.' |
539 | }) | 540 | }) |
540 | } | 541 | } |
541 | ] | 542 | ] |
@@ -562,8 +563,8 @@ export { | |||
562 | usersVerifyEmailValidator, | 563 | usersVerifyEmailValidator, |
563 | userAutocompleteValidator, | 564 | userAutocompleteValidator, |
564 | ensureAuthUserOwnsAccountValidator, | 565 | ensureAuthUserOwnsAccountValidator, |
565 | ensureCanManageUser, | 566 | ensureCanModerateUser, |
566 | ensureCanManageChannel | 567 | ensureCanManageChannelOrAccount |
567 | } | 568 | } |
568 | 569 | ||
569 | // --------------------------------------------------------------------------- | 570 | // --------------------------------------------------------------------------- |