aboutsummaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
authorChocobozzz <florian.bigard@gmail.com>2017-10-27 16:55:03 +0200
committerChocobozzz <florian.bigard@gmail.com>2017-10-27 16:55:03 +0200
commit954605a804da399317ca62afa2fb9244afa11ebf (patch)
treede6ee69280bfb928bc01c29430e13d5b820e921a /server
parente02573ad67626210ed279bad321ee139094921a1 (diff)
downloadPeerTube-954605a804da399317ca62afa2fb9244afa11ebf.tar.gz
PeerTube-954605a804da399317ca62afa2fb9244afa11ebf.tar.zst
PeerTube-954605a804da399317ca62afa2fb9244afa11ebf.zip
Support roles with rights and add moderator role
Diffstat (limited to 'server')
-rw-r--r--server/controllers/api/pods.ts9
-rw-r--r--server/controllers/api/request-schedulers.ts6
-rw-r--r--server/controllers/api/users.ts20
-rw-r--r--server/controllers/api/videos/abuse.ts6
-rw-r--r--server/controllers/api/videos/blacklist.ts10
-rw-r--r--server/helpers/custom-validators/users.ts11
-rw-r--r--server/initializers/constants.ts13
-rw-r--r--server/initializers/installer.ts5
-rw-r--r--server/initializers/migrations/0085-user-role.ts39
-rw-r--r--server/middlewares/admin.ts20
-rw-r--r--server/middlewares/index.ts2
-rw-r--r--server/middlewares/user-right.ts24
-rw-r--r--server/middlewares/validators/users.ts5
-rw-r--r--server/middlewares/validators/video-channels.ts6
-rw-r--r--server/middlewares/validators/videos.ts3
-rw-r--r--server/models/user/user-interface.ts9
-rw-r--r--server/models/user/user.ts29
17 files changed, 133 insertions, 84 deletions
diff --git a/server/controllers/api/pods.ts b/server/controllers/api/pods.ts
index bf1b744e5..b44cd6b83 100644
--- a/server/controllers/api/pods.ts
+++ b/server/controllers/api/pods.ts
@@ -9,7 +9,7 @@ import {
9} from '../../lib' 9} from '../../lib'
10import { 10import {
11 authenticate, 11 authenticate,
12 ensureIsAdmin, 12 ensureUserHasRight,
13 makeFriendsValidator, 13 makeFriendsValidator,
14 setBodyHostsPort, 14 setBodyHostsPort,
15 podRemoveValidator, 15 podRemoveValidator,
@@ -20,6 +20,7 @@ import {
20 asyncMiddleware 20 asyncMiddleware
21} from '../../middlewares' 21} from '../../middlewares'
22import { PodInstance } from '../../models' 22import { PodInstance } from '../../models'
23import { UserRight } from '../../../shared'
23 24
24const podsRouter = express.Router() 25const podsRouter = express.Router()
25 26
@@ -32,19 +33,19 @@ podsRouter.get('/',
32) 33)
33podsRouter.post('/make-friends', 34podsRouter.post('/make-friends',
34 authenticate, 35 authenticate,
35 ensureIsAdmin, 36 ensureUserHasRight(UserRight.MANAGE_PODS),
36 makeFriendsValidator, 37 makeFriendsValidator,
37 setBodyHostsPort, 38 setBodyHostsPort,
38 asyncMiddleware(makeFriendsController) 39 asyncMiddleware(makeFriendsController)
39) 40)
40podsRouter.get('/quit-friends', 41podsRouter.get('/quit-friends',
41 authenticate, 42 authenticate,
42 ensureIsAdmin, 43 ensureUserHasRight(UserRight.MANAGE_PODS),
43 asyncMiddleware(quitFriendsController) 44 asyncMiddleware(quitFriendsController)
44) 45)
45podsRouter.delete('/:id', 46podsRouter.delete('/:id',
46 authenticate, 47 authenticate,
47 ensureIsAdmin, 48 ensureUserHasRight(UserRight.MANAGE_PODS),
48 podRemoveValidator, 49 podRemoveValidator,
49 asyncMiddleware(removeFriendController) 50 asyncMiddleware(removeFriendController)
50) 51)
diff --git a/server/controllers/api/request-schedulers.ts b/server/controllers/api/request-schedulers.ts
index 28f46f3ee..4c8fbe18b 100644
--- a/server/controllers/api/request-schedulers.ts
+++ b/server/controllers/api/request-schedulers.ts
@@ -7,14 +7,14 @@ import {
7 getRequestVideoQaduScheduler, 7 getRequestVideoQaduScheduler,
8 getRequestVideoEventScheduler 8 getRequestVideoEventScheduler
9} from '../../lib' 9} from '../../lib'
10import { authenticate, ensureIsAdmin, asyncMiddleware } from '../../middlewares' 10import { authenticate, ensureUserHasRight, asyncMiddleware } from '../../middlewares'
11import { RequestSchedulerStatsAttributes } from '../../../shared' 11import { RequestSchedulerStatsAttributes, UserRight } from '../../../shared'
12 12
13const requestSchedulerRouter = express.Router() 13const requestSchedulerRouter = express.Router()
14 14
15requestSchedulerRouter.get('/stats', 15requestSchedulerRouter.get('/stats',
16 authenticate, 16 authenticate,
17 ensureIsAdmin, 17 ensureUserHasRight(UserRight.MANAGE_REQUEST_SCHEDULERS),
18 asyncMiddleware(getRequestSchedulersStats) 18 asyncMiddleware(getRequestSchedulersStats)
19) 19)
20 20
diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts
index 18a094f03..fdc9b0c87 100644
--- a/server/controllers/api/users.ts
+++ b/server/controllers/api/users.ts
@@ -1,11 +1,10 @@
1import * as express from 'express' 1import * as express from 'express'
2 2
3import { database as db } from '../../initializers/database' 3import { database as db, CONFIG } from '../../initializers'
4import { USER_ROLES, CONFIG } from '../../initializers'
5import { logger, getFormattedObjects, retryTransactionWrapper } from '../../helpers' 4import { logger, getFormattedObjects, retryTransactionWrapper } from '../../helpers'
6import { 5import {
7 authenticate, 6 authenticate,
8 ensureIsAdmin, 7 ensureUserHasRight,
9 ensureUserRegistrationAllowed, 8 ensureUserRegistrationAllowed,
10 usersAddValidator, 9 usersAddValidator,
11 usersRegisterValidator, 10 usersRegisterValidator,
@@ -25,7 +24,9 @@ import {
25 UserVideoRate as FormattedUserVideoRate, 24 UserVideoRate as FormattedUserVideoRate,
26 UserCreate, 25 UserCreate,
27 UserUpdate, 26 UserUpdate,
28 UserUpdateMe 27 UserUpdateMe,
28 UserRole,
29 UserRight
29} from '../../../shared' 30} from '../../../shared'
30import { createUserAuthorAndChannel } from '../../lib' 31import { createUserAuthorAndChannel } from '../../lib'
31import { UserInstance } from '../../models' 32import { UserInstance } from '../../models'
@@ -58,7 +59,7 @@ usersRouter.get('/:id',
58 59
59usersRouter.post('/', 60usersRouter.post('/',
60 authenticate, 61 authenticate,
61 ensureIsAdmin, 62 ensureUserHasRight(UserRight.MANAGE_USERS),
62 usersAddValidator, 63 usersAddValidator,
63 createUserRetryWrapper 64 createUserRetryWrapper
64) 65)
@@ -77,14 +78,14 @@ usersRouter.put('/me',
77 78
78usersRouter.put('/:id', 79usersRouter.put('/:id',
79 authenticate, 80 authenticate,
80 ensureIsAdmin, 81 ensureUserHasRight(UserRight.MANAGE_USERS),
81 usersUpdateValidator, 82 usersUpdateValidator,
82 asyncMiddleware(updateUser) 83 asyncMiddleware(updateUser)
83) 84)
84 85
85usersRouter.delete('/:id', 86usersRouter.delete('/:id',
86 authenticate, 87 authenticate,
87 ensureIsAdmin, 88 ensureUserHasRight(UserRight.MANAGE_USERS),
88 usersRemoveValidator, 89 usersRemoveValidator,
89 asyncMiddleware(removeUser) 90 asyncMiddleware(removeUser)
90) 91)
@@ -119,7 +120,7 @@ async function createUser (req: express.Request, res: express.Response, next: ex
119 password: body.password, 120 password: body.password,
120 email: body.email, 121 email: body.email,
121 displayNSFW: false, 122 displayNSFW: false,
122 role: USER_ROLES.USER, 123 role: body.role,
123 videoQuota: body.videoQuota 124 videoQuota: body.videoQuota
124 }) 125 })
125 126
@@ -136,7 +137,7 @@ async function registerUser (req: express.Request, res: express.Response, next:
136 password: body.password, 137 password: body.password,
137 email: body.email, 138 email: body.email,
138 displayNSFW: false, 139 displayNSFW: false,
139 role: USER_ROLES.USER, 140 role: UserRole.USER,
140 videoQuota: CONFIG.USER.VIDEO_QUOTA 141 videoQuota: CONFIG.USER.VIDEO_QUOTA
141 }) 142 })
142 143
@@ -203,6 +204,7 @@ async function updateUser (req: express.Request, res: express.Response, next: ex
203 204
204 if (body.email !== undefined) user.email = body.email 205 if (body.email !== undefined) user.email = body.email
205 if (body.videoQuota !== undefined) user.videoQuota = body.videoQuota 206 if (body.videoQuota !== undefined) user.videoQuota = body.videoQuota
207 if (body.role !== undefined) user.role = body.role
206 208
207 await user.save() 209 await user.save()
208 210
diff --git a/server/controllers/api/videos/abuse.ts b/server/controllers/api/videos/abuse.ts
index 4c7abf395..04349042b 100644
--- a/server/controllers/api/videos/abuse.ts
+++ b/server/controllers/api/videos/abuse.ts
@@ -9,7 +9,7 @@ import {
9} from '../../../helpers' 9} from '../../../helpers'
10import { 10import {
11 authenticate, 11 authenticate,
12 ensureIsAdmin, 12 ensureUserHasRight,
13 paginationValidator, 13 paginationValidator,
14 videoAbuseReportValidator, 14 videoAbuseReportValidator,
15 videoAbusesSortValidator, 15 videoAbusesSortValidator,
@@ -18,13 +18,13 @@ import {
18 asyncMiddleware 18 asyncMiddleware
19} from '../../../middlewares' 19} from '../../../middlewares'
20import { VideoInstance } from '../../../models' 20import { VideoInstance } from '../../../models'
21import { VideoAbuseCreate } from '../../../../shared' 21import { VideoAbuseCreate, UserRight } from '../../../../shared'
22 22
23const abuseVideoRouter = express.Router() 23const abuseVideoRouter = express.Router()
24 24
25abuseVideoRouter.get('/abuse', 25abuseVideoRouter.get('/abuse',
26 authenticate, 26 authenticate,
27 ensureIsAdmin, 27 ensureUserHasRight(UserRight.MANAGE_VIDEO_ABUSES),
28 paginationValidator, 28 paginationValidator,
29 videoAbusesSortValidator, 29 videoAbusesSortValidator,
30 setVideoAbusesSort, 30 setVideoAbusesSort,
diff --git a/server/controllers/api/videos/blacklist.ts b/server/controllers/api/videos/blacklist.ts
index 5a2c3fd80..be7cf6ea4 100644
--- a/server/controllers/api/videos/blacklist.ts
+++ b/server/controllers/api/videos/blacklist.ts
@@ -4,7 +4,7 @@ import { database as db } from '../../../initializers'
4import { logger, getFormattedObjects } from '../../../helpers' 4import { logger, getFormattedObjects } from '../../../helpers'
5import { 5import {
6 authenticate, 6 authenticate,
7 ensureIsAdmin, 7 ensureUserHasRight,
8 videosBlacklistAddValidator, 8 videosBlacklistAddValidator,
9 videosBlacklistRemoveValidator, 9 videosBlacklistRemoveValidator,
10 paginationValidator, 10 paginationValidator,
@@ -14,20 +14,20 @@ import {
14 asyncMiddleware 14 asyncMiddleware
15} from '../../../middlewares' 15} from '../../../middlewares'
16import { BlacklistedVideoInstance } from '../../../models' 16import { BlacklistedVideoInstance } from '../../../models'
17import { BlacklistedVideo } from '../../../../shared' 17import { BlacklistedVideo, UserRight } from '../../../../shared'
18 18
19const blacklistRouter = express.Router() 19const blacklistRouter = express.Router()
20 20
21blacklistRouter.post('/:videoId/blacklist', 21blacklistRouter.post('/:videoId/blacklist',
22 authenticate, 22 authenticate,
23 ensureIsAdmin, 23 ensureUserHasRight(UserRight.MANAGE_VIDEO_BLACKLIST),
24 videosBlacklistAddValidator, 24 videosBlacklistAddValidator,
25 asyncMiddleware(addVideoToBlacklist) 25 asyncMiddleware(addVideoToBlacklist)
26) 26)
27 27
28blacklistRouter.get('/blacklist', 28blacklistRouter.get('/blacklist',
29 authenticate, 29 authenticate,
30 ensureIsAdmin, 30 ensureUserHasRight(UserRight.MANAGE_VIDEO_BLACKLIST),
31 paginationValidator, 31 paginationValidator,
32 blacklistSortValidator, 32 blacklistSortValidator,
33 setBlacklistSort, 33 setBlacklistSort,
@@ -37,7 +37,7 @@ blacklistRouter.get('/blacklist',
37 37
38blacklistRouter.delete('/:videoId/blacklist', 38blacklistRouter.delete('/:videoId/blacklist',
39 authenticate, 39 authenticate,
40 ensureIsAdmin, 40 ensureUserHasRight(UserRight.MANAGE_VIDEO_BLACKLIST),
41 videosBlacklistRemoveValidator, 41 videosBlacklistRemoveValidator,
42 asyncMiddleware(removeVideoFromBlacklistController) 42 asyncMiddleware(removeVideoFromBlacklistController)
43) 43)
diff --git a/server/helpers/custom-validators/users.ts b/server/helpers/custom-validators/users.ts
index c180eccda..f423d6317 100644
--- a/server/helpers/custom-validators/users.ts
+++ b/server/helpers/custom-validators/users.ts
@@ -1,9 +1,8 @@
1import { values } from 'lodash'
2import * as validator from 'validator' 1import * as validator from 'validator'
3import 'express-validator' 2import 'express-validator'
4 3
5import { exists } from './misc' 4import { exists } from './misc'
6import { CONSTRAINTS_FIELDS, USER_ROLES } from '../../initializers' 5import { CONSTRAINTS_FIELDS } from '../../initializers'
7import { UserRole } from '../../../shared' 6import { UserRole } from '../../../shared'
8 7
9const USERS_CONSTRAINTS_FIELDS = CONSTRAINTS_FIELDS.USERS 8const USERS_CONSTRAINTS_FIELDS = CONSTRAINTS_FIELDS.USERS
@@ -12,10 +11,6 @@ function isUserPasswordValid (value: string) {
12 return validator.isLength(value, USERS_CONSTRAINTS_FIELDS.PASSWORD) 11 return validator.isLength(value, USERS_CONSTRAINTS_FIELDS.PASSWORD)
13} 12}
14 13
15function isUserRoleValid (value: string) {
16 return values(USER_ROLES).indexOf(value as UserRole) !== -1
17}
18
19function isUserVideoQuotaValid (value: string) { 14function isUserVideoQuotaValid (value: string) {
20 return exists(value) && validator.isInt(value + '', USERS_CONSTRAINTS_FIELDS.VIDEO_QUOTA) 15 return exists(value) && validator.isInt(value + '', USERS_CONSTRAINTS_FIELDS.VIDEO_QUOTA)
21} 16}
@@ -30,6 +25,10 @@ function isUserDisplayNSFWValid (value: any) {
30 return typeof value === 'boolean' || (typeof value === 'string' && validator.isBoolean(value)) 25 return typeof value === 'boolean' || (typeof value === 'string' && validator.isBoolean(value))
31} 26}
32 27
28function isUserRoleValid (value: any) {
29 return exists(value) && validator.isInt('' + value) && UserRole[value] !== undefined
30}
31
33// --------------------------------------------------------------------------- 32// ---------------------------------------------------------------------------
34 33
35export { 34export {
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts
index 1581a3195..6dc9737d2 100644
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@@ -5,7 +5,6 @@ import { join } from 'path'
5import { root, isTestInstance } from '../helpers/core-utils' 5import { root, isTestInstance } from '../helpers/core-utils'
6 6
7import { 7import {
8 UserRole,
9 VideoRateType, 8 VideoRateType,
10 RequestEndpoint, 9 RequestEndpoint,
11 RequestVideoEventType, 10 RequestVideoEventType,
@@ -16,7 +15,7 @@ import {
16 15
17// --------------------------------------------------------------------------- 16// ---------------------------------------------------------------------------
18 17
19const LAST_MIGRATION_VERSION = 80 18const LAST_MIGRATION_VERSION = 85
20 19
21// --------------------------------------------------------------------------- 20// ---------------------------------------------------------------------------
22 21
@@ -283,7 +282,6 @@ const JOB_STATES: { [ id: string ]: JobState } = {
283} 282}
284// How many maximum jobs we fetch from the database per cycle 283// How many maximum jobs we fetch from the database per cycle
285const JOBS_FETCH_LIMIT_PER_CYCLE = 10 284const JOBS_FETCH_LIMIT_PER_CYCLE = 10
286const JOBS_CONCURRENCY = 1
287// 1 minutes 285// 1 minutes
288let JOBS_FETCHING_INTERVAL = 60000 286let JOBS_FETCHING_INTERVAL = 60000
289 287
@@ -334,13 +332,6 @@ const CACHE = {
334 332
335// --------------------------------------------------------------------------- 333// ---------------------------------------------------------------------------
336 334
337const USER_ROLES: { [ id: string ]: UserRole } = {
338 ADMIN: 'admin',
339 USER: 'user'
340}
341
342// ---------------------------------------------------------------------------
343
344const OPENGRAPH_AND_OEMBED_COMMENT = '<!-- open graph and oembed tags -->' 335const OPENGRAPH_AND_OEMBED_COMMENT = '<!-- open graph and oembed tags -->'
345 336
346// --------------------------------------------------------------------------- 337// ---------------------------------------------------------------------------
@@ -367,7 +358,6 @@ export {
367 EMBED_SIZE, 358 EMBED_SIZE,
368 FRIEND_SCORE, 359 FRIEND_SCORE,
369 JOB_STATES, 360 JOB_STATES,
370 JOBS_CONCURRENCY,
371 JOBS_FETCH_LIMIT_PER_CYCLE, 361 JOBS_FETCH_LIMIT_PER_CYCLE,
372 JOBS_FETCHING_INTERVAL, 362 JOBS_FETCHING_INTERVAL,
373 LAST_MIGRATION_VERSION, 363 LAST_MIGRATION_VERSION,
@@ -401,7 +391,6 @@ export {
401 STATIC_MAX_AGE, 391 STATIC_MAX_AGE,
402 STATIC_PATHS, 392 STATIC_PATHS,
403 THUMBNAILS_SIZE, 393 THUMBNAILS_SIZE,
404 USER_ROLES,
405 VIDEO_CATEGORIES, 394 VIDEO_CATEGORIES,
406 VIDEO_LANGUAGES, 395 VIDEO_LANGUAGES,
407 VIDEO_LICENCES, 396 VIDEO_LICENCES,
diff --git a/server/initializers/installer.ts b/server/initializers/installer.ts
index 4c04290fc..077472341 100644
--- a/server/initializers/installer.ts
+++ b/server/initializers/installer.ts
@@ -2,10 +2,11 @@ import * as passwordGenerator from 'password-generator'
2import * as Bluebird from 'bluebird' 2import * as Bluebird from 'bluebird'
3 3
4import { database as db } from './database' 4import { database as db } from './database'
5import { USER_ROLES, CONFIG, LAST_MIGRATION_VERSION, CACHE } from './constants' 5import { CONFIG, LAST_MIGRATION_VERSION, CACHE } from './constants'
6import { clientsExist, usersExist } from './checker' 6import { clientsExist, usersExist } from './checker'
7import { logger, createCertsIfNotExist, mkdirpPromise, rimrafPromise } from '../helpers' 7import { logger, createCertsIfNotExist, mkdirpPromise, rimrafPromise } from '../helpers'
8import { createUserAuthorAndChannel } from '../lib' 8import { createUserAuthorAndChannel } from '../lib'
9import { UserRole } from '../../shared'
9 10
10async function installApplication () { 11async function installApplication () {
11 await db.sequelize.sync() 12 await db.sequelize.sync()
@@ -88,7 +89,7 @@ async function createOAuthAdminIfNotExist () {
88 logger.info('Creating the administrator.') 89 logger.info('Creating the administrator.')
89 90
90 const username = 'root' 91 const username = 'root'
91 const role = USER_ROLES.ADMIN 92 const role = UserRole.ADMINISTRATOR
92 const email = CONFIG.ADMIN.EMAIL 93 const email = CONFIG.ADMIN.EMAIL
93 let validatePassword = true 94 let validatePassword = true
94 let password = '' 95 let password = ''
diff --git a/server/initializers/migrations/0085-user-role.ts b/server/initializers/migrations/0085-user-role.ts
new file mode 100644
index 000000000..e67c5ca24
--- /dev/null
+++ b/server/initializers/migrations/0085-user-role.ts
@@ -0,0 +1,39 @@
1import * as Sequelize from 'sequelize'
2import * as uuidv4 from 'uuid/v4'
3
4async function up (utils: {
5 transaction: Sequelize.Transaction,
6 queryInterface: Sequelize.QueryInterface,
7 sequelize: Sequelize.Sequelize,
8 db: any
9}): Promise<void> {
10 const q = utils.queryInterface
11
12 await q.renameColumn('Users', 'role', 'oldRole')
13
14 const data = {
15 type: Sequelize.INTEGER,
16 allowNull: true
17 }
18 await q.addColumn('Users', 'role', data)
19
20 let query = 'UPDATE "Users" SET "role" = 0 WHERE "oldRole" = \'admin\''
21 await utils.sequelize.query(query)
22
23 query = 'UPDATE "Users" SET "role" = 2 WHERE "oldRole" = \'user\''
24 await utils.sequelize.query(query)
25
26 data.allowNull = false
27 await q.changeColumn('Users', 'role', data)
28
29 await q.removeColumn('Users', 'oldRole')
30}
31
32function down (options) {
33 throw new Error('Not implemented.')
34}
35
36export {
37 up,
38 down
39}
diff --git a/server/middlewares/admin.ts b/server/middlewares/admin.ts
deleted file mode 100644
index 812397352..000000000
--- a/server/middlewares/admin.ts
+++ /dev/null
@@ -1,20 +0,0 @@
1import 'express-validator'
2import * as express from 'express'
3
4import { logger } from '../helpers'
5
6function ensureIsAdmin (req: express.Request, res: express.Response, next: express.NextFunction) {
7 const user = res.locals.oauth.token.user
8 if (user.isAdmin() === false) {
9 logger.info('A non admin user is trying to access to an admin content.')
10 return res.sendStatus(403)
11 }
12
13 return next()
14}
15
16// ---------------------------------------------------------------------------
17
18export {
19 ensureIsAdmin
20}
diff --git a/server/middlewares/index.ts b/server/middlewares/index.ts
index 0e2c850e1..cec3e0b2a 100644
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -1,5 +1,4 @@
1export * from './validators' 1export * from './validators'
2export * from './admin'
3export * from './async' 2export * from './async'
4export * from './oauth' 3export * from './oauth'
5export * from './pagination' 4export * from './pagination'
@@ -7,3 +6,4 @@ export * from './pods'
7export * from './search' 6export * from './search'
8export * from './secure' 7export * from './secure'
9export * from './sort' 8export * from './sort'
9export * from './user-right'
diff --git a/server/middlewares/user-right.ts b/server/middlewares/user-right.ts
new file mode 100644
index 000000000..bcebe9d7f
--- /dev/null
+++ b/server/middlewares/user-right.ts
@@ -0,0 +1,24 @@
1import 'express-validator'
2import * as express from 'express'
3
4import { UserInstance } from '../models'
5import { UserRight } from '../../shared'
6import { logger } from '../helpers'
7
8function ensureUserHasRight (userRight: UserRight) {
9 return function (req: express.Request, res: express.Response, next: express.NextFunction) {
10 const user: UserInstance = res.locals.oauth.token.user
11 if (user.hasRight(userRight) === false) {
12 logger.info('User %s does not have right %s to access to %s.', user.username, UserRight[userRight], req.path)
13 return res.sendStatus(403)
14 }
15
16 return next()
17 }
18}
19
20// ---------------------------------------------------------------------------
21
22export {
23 ensureUserHasRight
24}
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 1a33cfd8c..0b463acc0 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -13,7 +13,8 @@ import {
13 isUserPasswordValid, 13 isUserPasswordValid,
14 isUserVideoQuotaValid, 14 isUserVideoQuotaValid,
15 isUserDisplayNSFWValid, 15 isUserDisplayNSFWValid,
16 isIdOrUUIDValid 16 isIdOrUUIDValid,
17 isUserRoleValid
17} from '../../helpers' 18} from '../../helpers'
18import { UserInstance, VideoInstance } from '../../models' 19import { UserInstance, VideoInstance } from '../../models'
19 20
@@ -22,6 +23,7 @@ const usersAddValidator = [
22 body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'), 23 body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'),
23 body('email').isEmail().withMessage('Should have a valid email'), 24 body('email').isEmail().withMessage('Should have a valid email'),
24 body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'), 25 body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
26 body('role').custom(isUserRoleValid).withMessage('Should have a valid role'),
25 27
26 (req: express.Request, res: express.Response, next: express.NextFunction) => { 28 (req: express.Request, res: express.Response, next: express.NextFunction) => {
27 logger.debug('Checking usersAdd parameters', { parameters: req.body }) 29 logger.debug('Checking usersAdd parameters', { parameters: req.body })
@@ -75,6 +77,7 @@ const usersUpdateValidator = [
75 param('id').isInt().not().isEmpty().withMessage('Should have a valid id'), 77 param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
76 body('email').optional().isEmail().withMessage('Should have a valid email attribute'), 78 body('email').optional().isEmail().withMessage('Should have a valid email attribute'),
77 body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'), 79 body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
80 body('role').optional().custom(isUserRoleValid).withMessage('Should have a valid role'),
78 81
79 (req: express.Request, res: express.Response, next: express.NextFunction) => { 82 (req: express.Request, res: express.Response, next: express.NextFunction) => {
80 logger.debug('Checking usersUpdate parameters', { parameters: req.body }) 83 logger.debug('Checking usersUpdate parameters', { parameters: req.body })
diff --git a/server/middlewares/validators/video-channels.ts b/server/middlewares/validators/video-channels.ts
index 979fbd34a..7d611728b 100644
--- a/server/middlewares/validators/video-channels.ts
+++ b/server/middlewares/validators/video-channels.ts
@@ -11,6 +11,8 @@ import {
11 checkVideoChannelExists, 11 checkVideoChannelExists,
12 checkVideoAuthorExists 12 checkVideoAuthorExists
13} from '../../helpers' 13} from '../../helpers'
14import { UserInstance } from '../../models'
15import { UserRight } from '../../../shared'
14 16
15const listVideoAuthorChannelsValidator = [ 17const listVideoAuthorChannelsValidator = [
16 param('authorId').custom(isIdOrUUIDValid).withMessage('Should have a valid author id'), 18 param('authorId').custom(isIdOrUUIDValid).withMessage('Should have a valid author id'),
@@ -106,7 +108,7 @@ export {
106// --------------------------------------------------------------------------- 108// ---------------------------------------------------------------------------
107 109
108function checkUserCanDeleteVideoChannel (res: express.Response, callback: () => void) { 110function checkUserCanDeleteVideoChannel (res: express.Response, callback: () => void) {
109 const user = res.locals.oauth.token.User 111 const user: UserInstance = res.locals.oauth.token.User
110 112
111 // Retrieve the user who did the request 113 // Retrieve the user who did the request
112 if (res.locals.videoChannel.isOwned() === false) { 114 if (res.locals.videoChannel.isOwned() === false) {
@@ -118,7 +120,7 @@ function checkUserCanDeleteVideoChannel (res: express.Response, callback: () =>
118 // Check if the user can delete the video channel 120 // Check if the user can delete the video channel
119 // The user can delete it if s/he is an admin 121 // The user can delete it if s/he is an admin
120 // Or if s/he is the video channel's author 122 // Or if s/he is the video channel's author
121 if (user.isAdmin() === false && res.locals.videoChannel.Author.userId !== user.id) { 123 if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_CHANNEL) === false && res.locals.videoChannel.Author.userId !== user.id) {
122 return res.status(403) 124 return res.status(403)
123 .json({ error: 'Cannot remove video channel of another user' }) 125 .json({ error: 'Cannot remove video channel of another user' })
124 .end() 126 .end()
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index a032d14ce..0c07404c5 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -22,6 +22,7 @@ import {
22 checkVideoExists, 22 checkVideoExists,
23 isIdValid 23 isIdValid
24} from '../../helpers' 24} from '../../helpers'
25import { UserRight } from '../../../shared'
25 26
26const videosAddValidator = [ 27const videosAddValidator = [
27 body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage( 28 body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage(
@@ -231,7 +232,7 @@ function checkUserCanDeleteVideo (userId: number, res: express.Response, callbac
231 // Check if the user can delete the video 232 // Check if the user can delete the video
232 // The user can delete it if s/he is an admin 233 // The user can delete it if s/he is an admin
233 // Or if s/he is the video's author 234 // Or if s/he is the video's author
234 if (user.isAdmin() === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { 235 if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
235 return res.status(403) 236 return res.status(403)
236 .json({ error: 'Cannot remove video of another user' }) 237 .json({ error: 'Cannot remove video of another user' })
237 .end() 238 .end()
diff --git a/server/models/user/user-interface.ts b/server/models/user/user-interface.ts
index 1b5233eaf..49c75aa3b 100644
--- a/server/models/user/user-interface.ts
+++ b/server/models/user/user-interface.ts
@@ -3,15 +3,16 @@ import * as Promise from 'bluebird'
3 3
4// Don't use barrel, import just what we need 4// Don't use barrel, import just what we need
5import { User as FormattedUser } from '../../../shared/models/users/user.model' 5import { User as FormattedUser } from '../../../shared/models/users/user.model'
6import { UserRole } from '../../../shared/models/users/user-role.type'
7import { ResultList } from '../../../shared/models/result-list.model' 6import { ResultList } from '../../../shared/models/result-list.model'
8import { AuthorInstance } from '../video/author-interface' 7import { AuthorInstance } from '../video/author-interface'
8import { UserRight } from '../../../shared/models/users/user-right.enum'
9import { UserRole } from '../../../shared/models/users/user-role'
9 10
10export namespace UserMethods { 11export namespace UserMethods {
12 export type HasRight = (this: UserInstance, right: UserRight) => boolean
11 export type IsPasswordMatch = (this: UserInstance, password: string) => Promise<boolean> 13 export type IsPasswordMatch = (this: UserInstance, password: string) => Promise<boolean>
12 14
13 export type ToFormattedJSON = (this: UserInstance) => FormattedUser 15 export type ToFormattedJSON = (this: UserInstance) => FormattedUser
14 export type IsAdmin = (this: UserInstance) => boolean
15 export type IsAbleToUploadVideo = (this: UserInstance, videoFile: Express.Multer.File) => Promise<boolean> 16 export type IsAbleToUploadVideo = (this: UserInstance, videoFile: Express.Multer.File) => Promise<boolean>
16 17
17 export type CountTotal = () => Promise<number> 18 export type CountTotal = () => Promise<number>
@@ -31,7 +32,7 @@ export namespace UserMethods {
31export interface UserClass { 32export interface UserClass {
32 isPasswordMatch: UserMethods.IsPasswordMatch, 33 isPasswordMatch: UserMethods.IsPasswordMatch,
33 toFormattedJSON: UserMethods.ToFormattedJSON, 34 toFormattedJSON: UserMethods.ToFormattedJSON,
34 isAdmin: UserMethods.IsAdmin, 35 hasRight: UserMethods.HasRight,
35 isAbleToUploadVideo: UserMethods.IsAbleToUploadVideo, 36 isAbleToUploadVideo: UserMethods.IsAbleToUploadVideo,
36 37
37 countTotal: UserMethods.CountTotal, 38 countTotal: UserMethods.CountTotal,
@@ -62,7 +63,7 @@ export interface UserInstance extends UserClass, UserAttributes, Sequelize.Insta
62 63
63 isPasswordMatch: UserMethods.IsPasswordMatch 64 isPasswordMatch: UserMethods.IsPasswordMatch
64 toFormattedJSON: UserMethods.ToFormattedJSON 65 toFormattedJSON: UserMethods.ToFormattedJSON
65 isAdmin: UserMethods.IsAdmin 66 hasRight: UserMethods.HasRight
66} 67}
67 68
68export interface UserModel extends UserClass, Sequelize.Model<UserInstance, UserAttributes> {} 69export interface UserModel extends UserClass, Sequelize.Model<UserInstance, UserAttributes> {}
diff --git a/server/models/user/user.ts b/server/models/user/user.ts
index 074c9c121..3c625e450 100644
--- a/server/models/user/user.ts
+++ b/server/models/user/user.ts
@@ -1,17 +1,17 @@
1import { values } from 'lodash'
2import * as Sequelize from 'sequelize' 1import * as Sequelize from 'sequelize'
3import * as Promise from 'bluebird' 2import * as Promise from 'bluebird'
4 3
5import { getSort } from '../utils' 4import { getSort } from '../utils'
6import { USER_ROLES } from '../../initializers'
7import { 5import {
8 cryptPassword, 6 cryptPassword,
9 comparePassword, 7 comparePassword,
10 isUserPasswordValid, 8 isUserPasswordValid,
11 isUserUsernameValid, 9 isUserUsernameValid,
12 isUserDisplayNSFWValid, 10 isUserDisplayNSFWValid,
13 isUserVideoQuotaValid 11 isUserVideoQuotaValid,
12 isUserRoleValid
14} from '../../helpers' 13} from '../../helpers'
14import { UserRight, USER_ROLE_LABELS, hasUserRight } from '../../../shared'
15 15
16import { addMethodsToModel } from '../utils' 16import { addMethodsToModel } from '../utils'
17import { 17import {
@@ -23,8 +23,8 @@ import {
23 23
24let User: Sequelize.Model<UserInstance, UserAttributes> 24let User: Sequelize.Model<UserInstance, UserAttributes>
25let isPasswordMatch: UserMethods.IsPasswordMatch 25let isPasswordMatch: UserMethods.IsPasswordMatch
26let hasRight: UserMethods.HasRight
26let toFormattedJSON: UserMethods.ToFormattedJSON 27let toFormattedJSON: UserMethods.ToFormattedJSON
27let isAdmin: UserMethods.IsAdmin
28let countTotal: UserMethods.CountTotal 28let countTotal: UserMethods.CountTotal
29let getByUsername: UserMethods.GetByUsername 29let getByUsername: UserMethods.GetByUsername
30let listForApi: UserMethods.ListForApi 30let listForApi: UserMethods.ListForApi
@@ -76,8 +76,14 @@ export default function (sequelize: Sequelize.Sequelize, DataTypes: Sequelize.Da
76 } 76 }
77 }, 77 },
78 role: { 78 role: {
79 type: DataTypes.ENUM(values(USER_ROLES)), 79 type: DataTypes.INTEGER,
80 allowNull: false 80 allowNull: false,
81 validate: {
82 roleValid: value => {
83 const res = isUserRoleValid(value)
84 if (res === false) throw new Error('Role is not valid.')
85 }
86 }
81 }, 87 },
82 videoQuota: { 88 videoQuota: {
83 type: DataTypes.BIGINT, 89 type: DataTypes.BIGINT,
@@ -120,9 +126,9 @@ export default function (sequelize: Sequelize.Sequelize, DataTypes: Sequelize.Da
120 loadByUsernameOrEmail 126 loadByUsernameOrEmail
121 ] 127 ]
122 const instanceMethods = [ 128 const instanceMethods = [
129 hasRight,
123 isPasswordMatch, 130 isPasswordMatch,
124 toFormattedJSON, 131 toFormattedJSON,
125 isAdmin,
126 isAbleToUploadVideo 132 isAbleToUploadVideo
127 ] 133 ]
128 addMethodsToModel(User, classMethods, instanceMethods) 134 addMethodsToModel(User, classMethods, instanceMethods)
@@ -139,6 +145,10 @@ function beforeCreateOrUpdate (user: UserInstance) {
139 145
140// ------------------------------ METHODS ------------------------------ 146// ------------------------------ METHODS ------------------------------
141 147
148hasRight = function (this: UserInstance, right: UserRight) {
149 return hasUserRight(this.role, right)
150}
151
142isPasswordMatch = function (this: UserInstance, password: string) { 152isPasswordMatch = function (this: UserInstance, password: string) {
143 return comparePassword(password, this.password) 153 return comparePassword(password, this.password)
144} 154}
@@ -150,6 +160,7 @@ toFormattedJSON = function (this: UserInstance) {
150 email: this.email, 160 email: this.email,
151 displayNSFW: this.displayNSFW, 161 displayNSFW: this.displayNSFW,
152 role: this.role, 162 role: this.role,
163 roleLabel: USER_ROLE_LABELS[this.role],
153 videoQuota: this.videoQuota, 164 videoQuota: this.videoQuota,
154 createdAt: this.createdAt, 165 createdAt: this.createdAt,
155 author: { 166 author: {
@@ -174,10 +185,6 @@ toFormattedJSON = function (this: UserInstance) {
174 return json 185 return json
175} 186}
176 187
177isAdmin = function (this: UserInstance) {
178 return this.role === USER_ROLES.ADMIN
179}
180
181isAbleToUploadVideo = function (this: UserInstance, videoFile: Express.Multer.File) { 188isAbleToUploadVideo = function (this: UserInstance, videoFile: Express.Multer.File) {
182 if (this.videoQuota === -1) return Promise.resolve(true) 189 if (this.videoQuota === -1) return Promise.resolve(true)
183 190