aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares/validators/users.ts
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares/validators/users.ts')
-rw-r--r--server/middlewares/validators/users.ts55
1 files changed, 30 insertions, 25 deletions
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index c91c378b3..c93895f2f 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -37,6 +37,7 @@ import { doesVideoExist } from '../../helpers/middlewares'
37import { UserRole } from '../../../shared/models/users' 37import { UserRole } from '../../../shared/models/users'
38import { MUserDefault } from '@server/types/models' 38import { MUserDefault } from '@server/types/models'
39import { Hooks } from '@server/lib/plugins/hooks' 39import { Hooks } from '@server/lib/plugins/hooks'
40import { HttpStatusCode } from '../../../shared/core-utils/miscs/http-error-codes'
40 41
41const usersListValidator = [ 42const usersListValidator = [
42 query('blocked') 43 query('blocked')
@@ -73,19 +74,22 @@ const usersAddValidator = [
73 74
74 const authUser = res.locals.oauth.token.User 75 const authUser = res.locals.oauth.token.User
75 if (authUser.role !== UserRole.ADMINISTRATOR && req.body.role !== UserRole.USER) { 76 if (authUser.role !== UserRole.ADMINISTRATOR && req.body.role !== UserRole.USER) {
76 return res.status(403) 77 return res
78 .status(HttpStatusCode.FORBIDDEN_403)
77 .json({ error: 'You can only create users (and not administrators or moderators)' }) 79 .json({ error: 'You can only create users (and not administrators or moderators)' })
78 } 80 }
79 81
80 if (req.body.channelName) { 82 if (req.body.channelName) {
81 if (req.body.channelName === req.body.username) { 83 if (req.body.channelName === req.body.username) {
82 return res.status(400) 84 return res
85 .status(HttpStatusCode.BAD_REQUEST_400)
83 .json({ error: 'Channel name cannot be the same as user username.' }) 86 .json({ error: 'Channel name cannot be the same as user username.' })
84 } 87 }
85 88
86 const existing = await ActorModel.loadLocalByName(req.body.channelName) 89 const existing = await ActorModel.loadLocalByName(req.body.channelName)
87 if (existing) { 90 if (existing) {
88 return res.status(409) 91 return res
92 .status(HttpStatusCode.CONFLICT_409)
89 .json({ error: `Channel with name ${req.body.channelName} already exists.` }) 93 .json({ error: `Channel with name ${req.body.channelName} already exists.` })
90 } 94 }
91 } 95 }
@@ -118,18 +122,19 @@ const usersRegisterValidator = [
118 const body: UserRegister = req.body 122 const body: UserRegister = req.body
119 if (body.channel) { 123 if (body.channel) {
120 if (!body.channel.name || !body.channel.displayName) { 124 if (!body.channel.name || !body.channel.displayName) {
121 return res.status(400) 125 return res
126 .status(HttpStatusCode.BAD_REQUEST_400)
122 .json({ error: 'Channel is optional but if you specify it, channel.name and channel.displayName are required.' }) 127 .json({ error: 'Channel is optional but if you specify it, channel.name and channel.displayName are required.' })
123 } 128 }
124 129
125 if (body.channel.name === body.username) { 130 if (body.channel.name === body.username) {
126 return res.status(400) 131 return res.status(HttpStatusCode.BAD_REQUEST_400)
127 .json({ error: 'Channel name cannot be the same as user username.' }) 132 .json({ error: 'Channel name cannot be the same as user username.' })
128 } 133 }
129 134
130 const existing = await ActorModel.loadLocalByName(body.channel.name) 135 const existing = await ActorModel.loadLocalByName(body.channel.name)
131 if (existing) { 136 if (existing) {
132 return res.status(409) 137 return res.status(HttpStatusCode.CONFLICT_409)
133 .json({ error: `Channel with name ${body.channel.name} already exists.` }) 138 .json({ error: `Channel with name ${body.channel.name} already exists.` })
134 } 139 }
135 } 140 }
@@ -149,7 +154,7 @@ const usersRemoveValidator = [
149 154
150 const user = res.locals.user 155 const user = res.locals.user
151 if (user.username === 'root') { 156 if (user.username === 'root') {
152 return res.status(400) 157 return res.status(HttpStatusCode.BAD_REQUEST_400)
153 .json({ error: 'Cannot remove the root user' }) 158 .json({ error: 'Cannot remove the root user' })
154 } 159 }
155 160
@@ -169,7 +174,7 @@ const usersBlockingValidator = [
169 174
170 const user = res.locals.user 175 const user = res.locals.user
171 if (user.username === 'root') { 176 if (user.username === 'root') {
172 return res.status(400) 177 return res.status(HttpStatusCode.BAD_REQUEST_400)
173 .json({ error: 'Cannot block the root user' }) 178 .json({ error: 'Cannot block the root user' })
174 } 179 }
175 180
@@ -181,7 +186,7 @@ const deleteMeValidator = [
181 (req: express.Request, res: express.Response, next: express.NextFunction) => { 186 (req: express.Request, res: express.Response, next: express.NextFunction) => {
182 const user = res.locals.oauth.token.User 187 const user = res.locals.oauth.token.User
183 if (user.username === 'root') { 188 if (user.username === 'root') {
184 return res.status(400) 189 return res.status(HttpStatusCode.BAD_REQUEST_400)
185 .json({ error: 'You cannot delete your root account.' }) 190 .json({ error: 'You cannot delete your root account.' })
186 .end() 191 .end()
187 } 192 }
@@ -211,8 +216,8 @@ const usersUpdateValidator = [
211 216
212 const user = res.locals.user 217 const user = res.locals.user
213 if (user.username === 'root' && req.body.role !== undefined && user.role !== req.body.role) { 218 if (user.username === 'root' && req.body.role !== undefined && user.role !== req.body.role) {
214 return res.status(400) 219 return res.status(HttpStatusCode.BAD_REQUEST_400)
215 .json({ error: 'Cannot change root role.' }) 220 .json({ error: 'Cannot change root role.' })
216 } 221 }
217 222
218 return next() 223 return next()
@@ -267,17 +272,17 @@ const usersUpdateMeValidator = [
267 272
268 if (req.body.password || req.body.email) { 273 if (req.body.password || req.body.email) {
269 if (user.pluginAuth !== null) { 274 if (user.pluginAuth !== null) {
270 return res.status(400) 275 return res.status(HttpStatusCode.BAD_REQUEST_400)
271 .json({ error: 'You cannot update your email or password that is associated with an external auth system.' }) 276 .json({ error: 'You cannot update your email or password that is associated with an external auth system.' })
272 } 277 }
273 278
274 if (!req.body.currentPassword) { 279 if (!req.body.currentPassword) {
275 return res.status(400) 280 return res.status(HttpStatusCode.BAD_REQUEST_400)
276 .json({ error: 'currentPassword parameter is missing.' }) 281 .json({ error: 'currentPassword parameter is missing.' })
277 } 282 }
278 283
279 if (await user.isPasswordMatch(req.body.currentPassword) !== true) { 284 if (await user.isPasswordMatch(req.body.currentPassword) !== true) {
280 return res.status(401) 285 return res.status(HttpStatusCode.UNAUTHORIZED_401)
281 .json({ error: 'currentPassword is invalid.' }) 286 .json({ error: 'currentPassword is invalid.' })
282 } 287 }
283 } 288 }
@@ -329,7 +334,7 @@ const ensureUserRegistrationAllowed = [
329 ) 334 )
330 335
331 if (allowedResult.allowed === false) { 336 if (allowedResult.allowed === false) {
332 return res.status(403) 337 return res.status(HttpStatusCode.FORBIDDEN_403)
333 .json({ error: allowedResult.errorMessage || 'User registration is not enabled or user limit is reached.' }) 338 .json({ error: allowedResult.errorMessage || 'User registration is not enabled or user limit is reached.' })
334 } 339 }
335 340
@@ -342,7 +347,7 @@ const ensureUserRegistrationAllowedForIP = [
342 const allowed = isSignupAllowedForCurrentIP(req.ip) 347 const allowed = isSignupAllowedForCurrentIP(req.ip)
343 348
344 if (allowed === false) { 349 if (allowed === false) {
345 return res.status(403) 350 return res.status(HttpStatusCode.FORBIDDEN_403)
346 .json({ error: 'You are not on a network authorized for registration.' }) 351 .json({ error: 'You are not on a network authorized for registration.' })
347 } 352 }
348 353
@@ -362,7 +367,7 @@ const usersAskResetPasswordValidator = [
362 if (!exists) { 367 if (!exists) {
363 logger.debug('User with email %s does not exist (asking reset password).', req.body.email) 368 logger.debug('User with email %s does not exist (asking reset password).', req.body.email)
364 // Do not leak our emails 369 // Do not leak our emails
365 return res.status(204).end() 370 return res.status(HttpStatusCode.NO_CONTENT_204).end()
366 } 371 }
367 372
368 return next() 373 return next()
@@ -385,7 +390,7 @@ const usersResetPasswordValidator = [
385 390
386 if (redisVerificationString !== req.body.verificationString) { 391 if (redisVerificationString !== req.body.verificationString) {
387 return res 392 return res
388 .status(403) 393 .status(HttpStatusCode.FORBIDDEN_403)
389 .json({ error: 'Invalid verification string.' }) 394 .json({ error: 'Invalid verification string.' })
390 } 395 }
391 396
@@ -404,7 +409,7 @@ const usersAskSendVerifyEmailValidator = [
404 if (!exists) { 409 if (!exists) {
405 logger.debug('User with email %s does not exist (asking verify email).', req.body.email) 410 logger.debug('User with email %s does not exist (asking verify email).', req.body.email)
406 // Do not leak our emails 411 // Do not leak our emails
407 return res.status(204).end() 412 return res.status(HttpStatusCode.NO_CONTENT_204).end()
408 } 413 }
409 414
410 return next() 415 return next()
@@ -432,7 +437,7 @@ const usersVerifyEmailValidator = [
432 437
433 if (redisVerificationString !== req.body.verificationString) { 438 if (redisVerificationString !== req.body.verificationString) {
434 return res 439 return res
435 .status(403) 440 .status(HttpStatusCode.FORBIDDEN_403)
436 .json({ error: 'Invalid verification string.' }) 441 .json({ error: 'Invalid verification string.' })
437 } 442 }
438 443
@@ -449,7 +454,7 @@ const ensureAuthUserOwnsAccountValidator = [
449 const user = res.locals.oauth.token.User 454 const user = res.locals.oauth.token.User
450 455
451 if (res.locals.account.id !== user.Account.id) { 456 if (res.locals.account.id !== user.Account.id) {
452 return res.status(403) 457 return res.status(HttpStatusCode.FORBIDDEN_403)
453 .json({ error: 'Only owner can access ratings list.' }) 458 .json({ error: 'Only owner can access ratings list.' })
454 } 459 }
455 460
@@ -465,7 +470,7 @@ const ensureCanManageUser = [
465 if (authUser.role === UserRole.ADMINISTRATOR) return next() 470 if (authUser.role === UserRole.ADMINISTRATOR) return next()
466 if (authUser.role === UserRole.MODERATOR && onUser.role === UserRole.USER) return next() 471 if (authUser.role === UserRole.MODERATOR && onUser.role === UserRole.USER) return next()
467 472
468 return res.status(403) 473 return res.status(HttpStatusCode.FORBIDDEN_403)
469 .json({ error: 'A moderator can only manager users.' }) 474 .json({ error: 'A moderator can only manager users.' })
470 } 475 }
471] 476]
@@ -509,14 +514,14 @@ async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email:
509 const user = await UserModel.loadByUsernameOrEmail(username, email) 514 const user = await UserModel.loadByUsernameOrEmail(username, email)
510 515
511 if (user) { 516 if (user) {
512 res.status(409) 517 res.status(HttpStatusCode.CONFLICT_409)
513 .json({ error: 'User with this username or email already exists.' }) 518 .json({ error: 'User with this username or email already exists.' })
514 return false 519 return false
515 } 520 }
516 521
517 const actor = await ActorModel.loadLocalByName(username) 522 const actor = await ActorModel.loadLocalByName(username)
518 if (actor) { 523 if (actor) {
519 res.status(409) 524 res.status(HttpStatusCode.CONFLICT_409)
520 .json({ error: 'Another actor (account/channel) with this name on this instance already exists or has already existed.' }) 525 .json({ error: 'Another actor (account/channel) with this name on this instance already exists or has already existed.' })
521 return false 526 return false
522 } 527 }
@@ -529,7 +534,7 @@ async function checkUserExist (finder: () => Bluebird<MUserDefault>, res: expres
529 534
530 if (!user) { 535 if (!user) {
531 if (abortResponse === true) { 536 if (abortResponse === true) {
532 res.status(404) 537 res.status(HttpStatusCode.NOT_FOUND_404)
533 .json({ error: 'User not found' }) 538 .json({ error: 'User not found' })
534 } 539 }
535 540