aboutsummaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-09-07 17:18:29 +0200
committerChocobozzz <me@florianbigard.com>2022-09-08 08:41:48 +0200
commitd4d9bbc6f24522f5d63b0ab105a02f80ca98d702 (patch)
tree9e7e5e5170cea36a489f6c988df892a34c886937 /server
parent8b69f9f02879ee3cf72bc9d4aa96cc71f18e6eea (diff)
downloadPeerTube-d4d9bbc6f24522f5d63b0ab105a02f80ca98d702.tar.gz
PeerTube-d4d9bbc6f24522f5d63b0ab105a02f80ca98d702.tar.zst
PeerTube-d4d9bbc6f24522f5d63b0ab105a02f80ca98d702.zip
Fix channel sync right check
Diffstat (limited to 'server')
-rw-r--r--server/controllers/api/accounts.ts6
-rw-r--r--server/controllers/api/users/index.ts10
-rw-r--r--server/controllers/api/video-channel-sync.ts6
-rw-r--r--server/controllers/api/video-channel.ts18
-rw-r--r--server/middlewares/validators/users.ts15
5 files changed, 28 insertions, 27 deletions
diff --git a/server/controllers/api/accounts.ts b/server/controllers/api/accounts.ts
index 7a530cde5..2d86d393c 100644
--- a/server/controllers/api/accounts.ts
+++ b/server/controllers/api/accounts.ts
@@ -3,6 +3,7 @@ import { pickCommonVideoQuery } from '@server/helpers/query'
3import { ActorFollowModel } from '@server/models/actor/actor-follow' 3import { ActorFollowModel } from '@server/models/actor/actor-follow'
4import { getServerActor } from '@server/models/application/application' 4import { getServerActor } from '@server/models/application/application'
5import { guessAdditionalAttributesFromQuery } from '@server/models/video/formatter/video-format-utils' 5import { guessAdditionalAttributesFromQuery } from '@server/models/video/formatter/video-format-utils'
6import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync'
6import { buildNSFWFilter, getCountVideos, isUserAbleToSearchRemoteURI } from '../../helpers/express-utils' 7import { buildNSFWFilter, getCountVideos, isUserAbleToSearchRemoteURI } from '../../helpers/express-utils'
7import { getFormattedObjects } from '../../helpers/utils' 8import { getFormattedObjects } from '../../helpers/utils'
8import { JobQueue } from '../../lib/job-queue' 9import { JobQueue } from '../../lib/job-queue'
@@ -25,7 +26,7 @@ import {
25 accountsFollowersSortValidator, 26 accountsFollowersSortValidator,
26 accountsSortValidator, 27 accountsSortValidator,
27 ensureAuthUserOwnsAccountValidator, 28 ensureAuthUserOwnsAccountValidator,
28 ensureCanManageUser, 29 ensureCanManageChannelOrAccount,
29 videoChannelsSortValidator, 30 videoChannelsSortValidator,
30 videoChannelStatsValidator, 31 videoChannelStatsValidator,
31 videoChannelSyncsSortValidator, 32 videoChannelSyncsSortValidator,
@@ -37,7 +38,6 @@ import { AccountVideoRateModel } from '../../models/account/account-video-rate'
37import { VideoModel } from '../../models/video/video' 38import { VideoModel } from '../../models/video/video'
38import { VideoChannelModel } from '../../models/video/video-channel' 39import { VideoChannelModel } from '../../models/video/video-channel'
39import { VideoPlaylistModel } from '../../models/video/video-playlist' 40import { VideoPlaylistModel } from '../../models/video/video-playlist'
40import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync'
41 41
42const accountsRouter = express.Router() 42const accountsRouter = express.Router()
43 43
@@ -78,7 +78,7 @@ accountsRouter.get('/:accountName/video-channels',
78accountsRouter.get('/:accountName/video-channel-syncs', 78accountsRouter.get('/:accountName/video-channel-syncs',
79 authenticate, 79 authenticate,
80 asyncMiddleware(accountNameWithHostGetValidator), 80 asyncMiddleware(accountNameWithHostGetValidator),
81 ensureCanManageUser, 81 ensureCanManageChannelOrAccount,
82 paginationValidator, 82 paginationValidator,
83 videoChannelSyncsSortValidator, 83 videoChannelSyncsSortValidator,
84 setDefaultSort, 84 setDefaultSort,
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index 7761ba602..0b27d5277 100644
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -36,7 +36,7 @@ import {
36 usersUpdateValidator 36 usersUpdateValidator
37} from '../../../middlewares' 37} from '../../../middlewares'
38import { 38import {
39 ensureCanManageUser, 39 ensureCanModerateUser,
40 usersAskResetPasswordValidator, 40 usersAskResetPasswordValidator,
41 usersAskSendVerifyEmailValidator, 41 usersAskSendVerifyEmailValidator,
42 usersBlockingValidator, 42 usersBlockingValidator,
@@ -95,14 +95,14 @@ usersRouter.post('/:id/block',
95 authenticate, 95 authenticate,
96 ensureUserHasRight(UserRight.MANAGE_USERS), 96 ensureUserHasRight(UserRight.MANAGE_USERS),
97 asyncMiddleware(usersBlockingValidator), 97 asyncMiddleware(usersBlockingValidator),
98 ensureCanManageUser, 98 ensureCanModerateUser,
99 asyncMiddleware(blockUser) 99 asyncMiddleware(blockUser)
100) 100)
101usersRouter.post('/:id/unblock', 101usersRouter.post('/:id/unblock',
102 authenticate, 102 authenticate,
103 ensureUserHasRight(UserRight.MANAGE_USERS), 103 ensureUserHasRight(UserRight.MANAGE_USERS),
104 asyncMiddleware(usersBlockingValidator), 104 asyncMiddleware(usersBlockingValidator),
105 ensureCanManageUser, 105 ensureCanModerateUser,
106 asyncMiddleware(unblockUser) 106 asyncMiddleware(unblockUser)
107) 107)
108 108
@@ -132,7 +132,7 @@ usersRouter.put('/:id',
132 authenticate, 132 authenticate,
133 ensureUserHasRight(UserRight.MANAGE_USERS), 133 ensureUserHasRight(UserRight.MANAGE_USERS),
134 asyncMiddleware(usersUpdateValidator), 134 asyncMiddleware(usersUpdateValidator),
135 ensureCanManageUser, 135 ensureCanModerateUser,
136 asyncMiddleware(updateUser) 136 asyncMiddleware(updateUser)
137) 137)
138 138
@@ -140,7 +140,7 @@ usersRouter.delete('/:id',
140 authenticate, 140 authenticate,
141 ensureUserHasRight(UserRight.MANAGE_USERS), 141 ensureUserHasRight(UserRight.MANAGE_USERS),
142 asyncMiddleware(usersRemoveValidator), 142 asyncMiddleware(usersRemoveValidator),
143 ensureCanManageUser, 143 ensureCanModerateUser,
144 asyncMiddleware(removeUser) 144 asyncMiddleware(removeUser)
145) 145)
146 146
diff --git a/server/controllers/api/video-channel-sync.ts b/server/controllers/api/video-channel-sync.ts
index c2770b8e4..03c54b59c 100644
--- a/server/controllers/api/video-channel-sync.ts
+++ b/server/controllers/api/video-channel-sync.ts
@@ -5,7 +5,7 @@ import {
5 asyncMiddleware, 5 asyncMiddleware,
6 asyncRetryTransactionMiddleware, 6 asyncRetryTransactionMiddleware,
7 authenticate, 7 authenticate,
8 ensureCanManageChannel as ensureCanManageSyncedChannel, 8 ensureCanManageChannelOrAccount,
9 ensureSyncExists, 9 ensureSyncExists,
10 ensureSyncIsEnabled, 10 ensureSyncIsEnabled,
11 videoChannelSyncValidator 11 videoChannelSyncValidator
@@ -21,14 +21,14 @@ videoChannelSyncRouter.post('/',
21 authenticate, 21 authenticate,
22 ensureSyncIsEnabled, 22 ensureSyncIsEnabled,
23 asyncMiddleware(videoChannelSyncValidator), 23 asyncMiddleware(videoChannelSyncValidator),
24 ensureCanManageSyncedChannel, 24 ensureCanManageChannelOrAccount,
25 asyncRetryTransactionMiddleware(createVideoChannelSync) 25 asyncRetryTransactionMiddleware(createVideoChannelSync)
26) 26)
27 27
28videoChannelSyncRouter.delete('/:id', 28videoChannelSyncRouter.delete('/:id',
29 authenticate, 29 authenticate,
30 asyncMiddleware(ensureSyncExists), 30 asyncMiddleware(ensureSyncExists),
31 ensureCanManageSyncedChannel, 31 ensureCanManageChannelOrAccount,
32 asyncRetryTransactionMiddleware(removeVideoChannelSync) 32 asyncRetryTransactionMiddleware(removeVideoChannelSync)
33) 33)
34 34
diff --git a/server/controllers/api/video-channel.ts b/server/controllers/api/video-channel.ts
index 94285a78d..d7c92952a 100644
--- a/server/controllers/api/video-channel.ts
+++ b/server/controllers/api/video-channel.ts
@@ -23,7 +23,7 @@ import {
23 asyncRetryTransactionMiddleware, 23 asyncRetryTransactionMiddleware,
24 authenticate, 24 authenticate,
25 commonVideosFiltersValidator, 25 commonVideosFiltersValidator,
26 ensureCanManageChannel, 26 ensureCanManageChannelOrAccount,
27 optionalAuthenticate, 27 optionalAuthenticate,
28 paginationValidator, 28 paginationValidator,
29 setDefaultPagination, 29 setDefaultPagination,
@@ -77,7 +77,7 @@ videoChannelRouter.post('/:nameWithHost/avatar/pick',
77 reqAvatarFile, 77 reqAvatarFile,
78 asyncMiddleware(videoChannelsNameWithHostValidator), 78 asyncMiddleware(videoChannelsNameWithHostValidator),
79 ensureIsLocalChannel, 79 ensureIsLocalChannel,
80 ensureCanManageChannel, 80 ensureCanManageChannelOrAccount,
81 updateAvatarValidator, 81 updateAvatarValidator,
82 asyncMiddleware(updateVideoChannelAvatar) 82 asyncMiddleware(updateVideoChannelAvatar)
83) 83)
@@ -87,7 +87,7 @@ videoChannelRouter.post('/:nameWithHost/banner/pick',
87 reqBannerFile, 87 reqBannerFile,
88 asyncMiddleware(videoChannelsNameWithHostValidator), 88 asyncMiddleware(videoChannelsNameWithHostValidator),
89 ensureIsLocalChannel, 89 ensureIsLocalChannel,
90 ensureCanManageChannel, 90 ensureCanManageChannelOrAccount,
91 updateBannerValidator, 91 updateBannerValidator,
92 asyncMiddleware(updateVideoChannelBanner) 92 asyncMiddleware(updateVideoChannelBanner)
93) 93)
@@ -96,7 +96,7 @@ videoChannelRouter.delete('/:nameWithHost/avatar',
96 authenticate, 96 authenticate,
97 asyncMiddleware(videoChannelsNameWithHostValidator), 97 asyncMiddleware(videoChannelsNameWithHostValidator),
98 ensureIsLocalChannel, 98 ensureIsLocalChannel,
99 ensureCanManageChannel, 99 ensureCanManageChannelOrAccount,
100 asyncMiddleware(deleteVideoChannelAvatar) 100 asyncMiddleware(deleteVideoChannelAvatar)
101) 101)
102 102
@@ -104,7 +104,7 @@ videoChannelRouter.delete('/:nameWithHost/banner',
104 authenticate, 104 authenticate,
105 asyncMiddleware(videoChannelsNameWithHostValidator), 105 asyncMiddleware(videoChannelsNameWithHostValidator),
106 ensureIsLocalChannel, 106 ensureIsLocalChannel,
107 ensureCanManageChannel, 107 ensureCanManageChannelOrAccount,
108 asyncMiddleware(deleteVideoChannelBanner) 108 asyncMiddleware(deleteVideoChannelBanner)
109) 109)
110 110
@@ -112,7 +112,7 @@ videoChannelRouter.put('/:nameWithHost',
112 authenticate, 112 authenticate,
113 asyncMiddleware(videoChannelsNameWithHostValidator), 113 asyncMiddleware(videoChannelsNameWithHostValidator),
114 ensureIsLocalChannel, 114 ensureIsLocalChannel,
115 ensureCanManageChannel, 115 ensureCanManageChannelOrAccount,
116 videoChannelsUpdateValidator, 116 videoChannelsUpdateValidator,
117 asyncRetryTransactionMiddleware(updateVideoChannel) 117 asyncRetryTransactionMiddleware(updateVideoChannel)
118) 118)
@@ -121,7 +121,7 @@ videoChannelRouter.delete('/:nameWithHost',
121 authenticate, 121 authenticate,
122 asyncMiddleware(videoChannelsNameWithHostValidator), 122 asyncMiddleware(videoChannelsNameWithHostValidator),
123 ensureIsLocalChannel, 123 ensureIsLocalChannel,
124 ensureCanManageChannel, 124 ensureCanManageChannelOrAccount,
125 asyncMiddleware(videoChannelsRemoveValidator), 125 asyncMiddleware(videoChannelsRemoveValidator),
126 asyncRetryTransactionMiddleware(removeVideoChannel) 126 asyncRetryTransactionMiddleware(removeVideoChannel)
127) 127)
@@ -155,7 +155,7 @@ videoChannelRouter.get('/:nameWithHost/videos',
155videoChannelRouter.get('/:nameWithHost/followers', 155videoChannelRouter.get('/:nameWithHost/followers',
156 authenticate, 156 authenticate,
157 asyncMiddleware(videoChannelsNameWithHostValidator), 157 asyncMiddleware(videoChannelsNameWithHostValidator),
158 ensureCanManageChannel, 158 ensureCanManageChannelOrAccount,
159 paginationValidator, 159 paginationValidator,
160 videoChannelsFollowersSortValidator, 160 videoChannelsFollowersSortValidator,
161 setDefaultSort, 161 setDefaultSort,
@@ -168,7 +168,7 @@ videoChannelRouter.post('/:nameWithHost/import-videos',
168 asyncMiddleware(videoChannelsNameWithHostValidator), 168 asyncMiddleware(videoChannelsNameWithHostValidator),
169 asyncMiddleware(videoChannelImportVideosValidator), 169 asyncMiddleware(videoChannelImportVideosValidator),
170 ensureIsLocalChannel, 170 ensureIsLocalChannel,
171 ensureCanManageChannel, 171 ensureCanManageChannelOrAccount,
172 asyncMiddleware(ensureChannelOwnerCanUpload), 172 asyncMiddleware(ensureChannelOwnerCanUpload),
173 asyncMiddleware(importVideosInChannel) 173 asyncMiddleware(importVideosInChannel)
174) 174)
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 282034f6d..2de5265fb 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -507,13 +507,14 @@ const ensureAuthUserOwnsAccountValidator = [
507 } 507 }
508] 508]
509 509
510const ensureCanManageChannel = [ 510const ensureCanManageChannelOrAccount = [
511 (req: express.Request, res: express.Response, next: express.NextFunction) => { 511 (req: express.Request, res: express.Response, next: express.NextFunction) => {
512 const user = res.locals.oauth.token.user 512 const user = res.locals.oauth.token.user
513 const isUserOwner = res.locals.videoChannel.Account.userId === user.id 513 const account = res.locals.videoChannel?.Account ?? res.locals.account
514 const isUserOwner = account.userId === user.id
514 515
515 if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) { 516 if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) {
516 const message = `User ${user.username} does not have right to manage channel ${req.params.nameWithHost}.` 517 const message = `User ${user.username} does not have right this channel or account.`
517 518
518 return res.fail({ 519 return res.fail({
519 status: HttpStatusCode.FORBIDDEN_403, 520 status: HttpStatusCode.FORBIDDEN_403,
@@ -525,7 +526,7 @@ const ensureCanManageChannel = [
525 } 526 }
526] 527]
527 528
528const ensureCanManageUser = [ 529const ensureCanModerateUser = [
529 (req: express.Request, res: express.Response, next: express.NextFunction) => { 530 (req: express.Request, res: express.Response, next: express.NextFunction) => {
530 const authUser = res.locals.oauth.token.User 531 const authUser = res.locals.oauth.token.User
531 const onUser = res.locals.user 532 const onUser = res.locals.user
@@ -535,7 +536,7 @@ const ensureCanManageUser = [
535 536
536 return res.fail({ 537 return res.fail({
537 status: HttpStatusCode.FORBIDDEN_403, 538 status: HttpStatusCode.FORBIDDEN_403,
538 message: 'A moderator can only manager users.' 539 message: 'A moderator can only manage users.'
539 }) 540 })
540 } 541 }
541] 542]
@@ -562,8 +563,8 @@ export {
562 usersVerifyEmailValidator, 563 usersVerifyEmailValidator,
563 userAutocompleteValidator, 564 userAutocompleteValidator,
564 ensureAuthUserOwnsAccountValidator, 565 ensureAuthUserOwnsAccountValidator,
565 ensureCanManageUser, 566 ensureCanModerateUser,
566 ensureCanManageChannel 567 ensureCanManageChannelOrAccount
567} 568}
568 569
569// --------------------------------------------------------------------------- 570// ---------------------------------------------------------------------------