1 files changed, 39 insertions, 33 deletions
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index da92c715d..16d297047 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -30,6 +30,7 @@ import { UserRegister } from '../../../shared/models/users/user-register.model'
 import { isThemeNameValid } from '../../helpers/custom-validators/plugins'
 import { isThemeRegistered } from '../../lib/plugins/theme-utils'
 import { doesVideoExist } from '../../helpers/middlewares'
+import { UserRole } from '../../../shared/models/users'
 const usersAddValidator = [
  body('username').custom(isUserUsernameValid).withMessage('Should have a valid username (lowercase alphanumeric characters)'),
@@ -46,6 +47,12 @@ const usersAddValidator = [
    if (areValidationErrors(req, res)) return
    if (!await checkUserNameOrEmailDoesNotAlreadyExist(req.body.username, req.body.email, res)) return
+    const authUser = res.locals.oauth.token.User
+    if (authUser.role !== UserRole.ADMINISTRATOR && req.body.role !== UserRole.USER) {
+      return res.status(403)
+        .json({ error: 'You can only create users (and not administrators or moderators' })
+    }
    return next()
  }
 ]
@@ -75,21 +82,18 @@ const usersRegisterValidator = [
    if (body.channel) {
      if (!body.channel.name || !body.channel.displayName) {
        return res.status(400)
-          .send({ error: 'Channel is optional but if you specify it, channel.name and channel.displayName are required.' })
+          .json({ error: 'Channel is optional but if you specify it, channel.name and channel.displayName are required.' })
-          .end()
      }
      if (body.channel.name === body.username) {
        return res.status(400)
-                  .send({ error: 'Channel name cannot be the same than user username.' })
+                  .json({ error: 'Channel name cannot be the same than user username.' })
-                  .end()
      }
      const existing = await ActorModel.loadLocalByName(body.channel.name)
      if (existing) {
        return res.status(409)
-                  .send({ error: `Channel with name ${body.channel.name} already exists.` })
+                  .json({ error: `Channel with name ${body.channel.name} already exists.` })
-                  .end()
      }
    }
@@ -109,8 +113,7 @@ const usersRemoveValidator = [
    const user = res.locals.user
    if (user.username === 'root') {
      return res.status(400)
-                .send({ error: 'Cannot remove the root user' })
+                .json({ error: 'Cannot remove the root user' })
-                .end()
    }
    return next()
@@ -130,8 +133,7 @@ const usersBlockingValidator = [
    const user = res.locals.user
    if (user.username === 'root') {
      return res.status(400)
-                .send({ error: 'Cannot block the root user' })
+                .json({ error: 'Cannot block the root user' })
-                .end()
    }
    return next()
@@ -143,7 +145,7 @@ const deleteMeValidator = [
    const user = res.locals.oauth.token.User
    if (user.username === 'root') {
      return res.status(400)
-                .send({ error: 'You cannot delete your root account.' })
+                .json({ error: 'You cannot delete your root account.' })
                .end()
    }
@@ -170,8 +172,7 @@ const usersUpdateValidator = [
    const user = res.locals.user
    if (user.username === 'root' && req.body.role !== undefined && user.role !== req.body.role) {
      return res.status(400)
-        .send({ error: 'Cannot change root role.' })
+        .json({ error: 'Cannot change root role.' })
-        .end()
    }
    return next()
@@ -216,15 +217,14 @@ const usersUpdateMeValidator = [
    if (req.body.password || req.body.email) {
      if (!req.body.currentPassword) {
        return res.status(400)
-                  .send({ error: 'currentPassword parameter is missing.' })
+                  .json({ error: 'currentPassword parameter is missing.' })
                  .end()
      }
      const user = res.locals.oauth.token.User
      if (await user.isPasswordMatch(req.body.currentPassword) !== true) {
        return res.status(401)
-                  .send({ error: 'currentPassword is invalid.' })
+                  .json({ error: 'currentPassword is invalid.' })
-                  .end()
      }
    }
@@ -265,8 +265,7 @@ const ensureUserRegistrationAllowed = [
    const allowed = await isSignupAllowed()
    if (allowed === false) {
      return res.status(403)
-                .send({ error: 'User registration is not enabled or user limit is reached.' })
+                .json({ error: 'User registration is not enabled or user limit is reached.' })
-                .end()
    }
    return next()
@@ -279,8 +278,7 @@ const ensureUserRegistrationAllowedForIP = [
    if (allowed === false) {
      return res.status(403)
-                .send({ error: 'You are not on a network authorized for registration.' })
+                .json({ error: 'You are not on a network authorized for registration.' })
-                .end()
    }
    return next()
@@ -323,8 +321,7 @@ const usersResetPasswordValidator = [
    if (redisVerificationString !== req.body.verificationString) {
      return res
        .status(403)
-        .send({ error: 'Invalid verification string.' })
+        .json({ error: 'Invalid verification string.' })
-        .end()
    }
    return next()
@@ -371,8 +368,7 @@ const usersVerifyEmailValidator = [
    if (redisVerificationString !== req.body.verificationString) {
      return res
        .status(403)
-        .send({ error: 'Invalid verification string.' })
+        .json({ error: 'Invalid verification string.' })
-        .end()
    }
    return next()
@@ -389,14 +385,26 @@ const ensureAuthUserOwnsAccountValidator = [
    if (res.locals.account.id !== user.Account.id) {
      return res.status(403)
-                .send({ error: 'Only owner can access ratings list.' })
+                .json({ error: 'Only owner can access ratings list.' })
-                .end()
    }
    return next()
  }
 ]
+const ensureCanManageUser = [
+  (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    const authUser = res.locals.oauth.token.User
+    const onUser = res.locals.user
+    if (authUser.role === UserRole.ADMINISTRATOR) return next()
+    if (authUser.role === UserRole.MODERATOR && onUser.role === UserRole.USER) return next()
+    return res.status(403)
+      .json({ error: 'A moderator can only manager users.' })
+  }
+]
 // ---------------------------------------------------------------------------
 export {
@@ -416,7 +424,8 @@ export {
  usersAskSendVerifyEmailValidator,
  usersVerifyEmailValidator,
  userAutocompleteValidator,
-  ensureAuthUserOwnsAccountValidator
+  ensureAuthUserOwnsAccountValidator,
+  ensureCanManageUser
 }
 // ---------------------------------------------------------------------------
@@ -434,16 +443,14 @@ async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email:
  if (user) {
    res.status(409)
-              .send({ error: 'User with this username or email already exists.' })
+              .json({ error: 'User with this username or email already exists.' })
-              .end()
    return false
  }
  const actor = await ActorModel.loadLocalByName(username)
  if (actor) {
    res.status(409)
-       .send({ error: 'Another actor (account/channel) with this name on this instance already exists or has already existed.' })
+       .json({ error: 'Another actor (account/channel) with this name on this instance already exists or has already existed.' })
-       .end()
    return false
  }
@@ -456,8 +463,7 @@ async function checkUserExist (finder: () => Bluebird<UserModel>, res: express.R
  if (!user) {
    if (abortResponse === true) {
      res.status(404)
-        .send({ error: 'User not found' })
+        .json({ error: 'User not found' })
-        .end()
    }
    return false