1 files changed, 199 insertions, 0 deletions
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
new file mode 100644
index 000000000..5a49cf73c
--- /dev/null
+++ b/server/middlewares/validators/videos.ts
@@ -0,0 +1,199 @@
+const db = require('../../initializers/database')
+import { checkErrors } from './utils'
+import { CONSTRAINTS_FIELDS, SEARCHABLE_COLUMNS } from '../../initializers'
+import { logger, isVideoDurationValid } from '../../helpers'
+function videosAddValidator (req, res, next) {
+  req.checkBody('videofile', 'Should have a valid file').isVideoFile(req.files)
+  req.checkBody('name', 'Should have a valid name').isVideoNameValid()
+  req.checkBody('category', 'Should have a valid category').isVideoCategoryValid()
+  req.checkBody('licence', 'Should have a valid licence').isVideoLicenceValid()
+  req.checkBody('language', 'Should have a valid language').optional().isVideoLanguageValid()
+  req.checkBody('nsfw', 'Should have a valid NSFW attribute').isVideoNSFWValid()
+  req.checkBody('description', 'Should have a valid description').isVideoDescriptionValid()
+  req.checkBody('tags', 'Should have correct tags').optional().isVideoTagsValid()
+  logger.debug('Checking videosAdd parameters', { parameters: req.body, files: req.files })
+  checkErrors(req, res, function () {
+    const videoFile = req.files.videofile[0]
+    db.Video.getDurationFromFile(videoFile.path, function (err, duration) {
+      if (err) {
+        return res.status(400).send('Cannot retrieve metadata of the file.')
+      }
+      if (!isVideoDurationValid(duration)) {
+        return res.status(400).send('Duration of the video file is too big (max: ' + CONSTRAINTS_FIELDS.VIDEOS.DURATION.max + 's).')
+      }
+      videoFile.duration = duration
+      next()
+    })
+  })
+}
+function videosUpdateValidator (req, res, next) {
+  req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
+  req.checkBody('name', 'Should have a valid name').optional().isVideoNameValid()
+  req.checkBody('category', 'Should have a valid category').optional().isVideoCategoryValid()
+  req.checkBody('licence', 'Should have a valid licence').optional().isVideoLicenceValid()
+  req.checkBody('language', 'Should have a valid language').optional().isVideoLanguageValid()
+  req.checkBody('nsfw', 'Should have a valid NSFW attribute').optional().isVideoNSFWValid()
+  req.checkBody('description', 'Should have a valid description').optional().isVideoDescriptionValid()
+  req.checkBody('tags', 'Should have correct tags').optional().isVideoTagsValid()
+  logger.debug('Checking videosUpdate parameters', { parameters: req.body })
+  checkErrors(req, res, function () {
+    checkVideoExists(req.params.id, res, function () {
+      // We need to make additional checks
+      if (res.locals.video.isOwned() === false) {
+        return res.status(403).send('Cannot update video of another pod')
+      }
+      if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
+        return res.status(403).send('Cannot update video of another user')
+      }
+      next()
+    })
+  })
+}
+function videosGetValidator (req, res, next) {
+  req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
+  logger.debug('Checking videosGet parameters', { parameters: req.params })
+  checkErrors(req, res, function () {
+    checkVideoExists(req.params.id, res, next)
+  })
+}
+function videosRemoveValidator (req, res, next) {
+  req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
+  logger.debug('Checking videosRemove parameters', { parameters: req.params })
+  checkErrors(req, res, function () {
+    checkVideoExists(req.params.id, res, function () {
+      // We need to make additional checks
+      // Check if the user who did the request is able to delete the video
+      checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, function () {
+        next()
+      })
+    })
+  })
+}
+function videosSearchValidator (req, res, next) {
+  const searchableColumns = SEARCHABLE_COLUMNS.VIDEOS
+  req.checkParams('value', 'Should have a valid search').notEmpty()
+  req.checkQuery('field', 'Should have correct searchable column').optional().isIn(searchableColumns)
+  logger.debug('Checking videosSearch parameters', { parameters: req.params })
+  checkErrors(req, res, next)
+}
+function videoAbuseReportValidator (req, res, next) {
+  req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
+  req.checkBody('reason', 'Should have a valid reason').isVideoAbuseReasonValid()
+  logger.debug('Checking videoAbuseReport parameters', { parameters: req.body })
+  checkErrors(req, res, function () {
+    checkVideoExists(req.params.id, res, next)
+  })
+}
+function videoRateValidator (req, res, next) {
+  req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
+  req.checkBody('rating', 'Should have a valid rate type').isVideoRatingTypeValid()
+  logger.debug('Checking videoRate parameters', { parameters: req.body })
+  checkErrors(req, res, function () {
+    checkVideoExists(req.params.id, res, next)
+  })
+}
+function videosBlacklistValidator (req, res, next) {
+  req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
+  logger.debug('Checking videosBlacklist parameters', { parameters: req.params })
+  checkErrors(req, res, function () {
+    checkVideoExists(req.params.id, res, function () {
+      checkVideoIsBlacklistable(req, res, next)
+    })
+  })
+}
+// ---------------------------------------------------------------------------
+export {
+  videosAddValidator,
+  videosUpdateValidator,
+  videosGetValidator,
+  videosRemoveValidator,
+  videosSearchValidator,
+  videoAbuseReportValidator,
+  videoRateValidator,
+  videosBlacklistValidator
+}
+// ---------------------------------------------------------------------------
+function checkVideoExists (id, res, callback) {
+  db.Video.loadAndPopulateAuthorAndPodAndTags(id, function (err, video) {
+    if (err) {
+      logger.error('Error in video request validator.', { error: err })
+      return res.sendStatus(500)
+    }
+    if (!video) return res.status(404).send('Video not found')
+    res.locals.video = video
+    callback()
+  })
+}
+function checkUserCanDeleteVideo (userId, res, callback) {
+  // Retrieve the user who did the request
+  db.User.loadById(userId, function (err, user) {
+    if (err) {
+      logger.error('Error in video request validator.', { error: err })
+      return res.sendStatus(500)
+    }
+    // Check if the user can delete the video
+    // The user can delete it if s/he is an admin
+    // Or if s/he is the video's author
+    if (user.isAdmin() === false) {
+      if (res.locals.video.isOwned() === false) {
+        return res.status(403).send('Cannot remove video of another pod')
+      }
+      if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
+        return res.status(403).send('Cannot remove video of another user')
+      }
+    }
+    // If we reach this comment, we can delete the video
+    callback()
+  })
+}
+function checkVideoIsBlacklistable (req, res, callback) {
+  if (res.locals.video.isOwned() === true) {
+    return res.status(403).send('Cannot blacklist a local video')
+  }
+  callback()
+}

diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts new file mode 100644 index 000000000..5a49cf73c --- /dev/null +++ b/server/middlewares/validators/videos.ts
@@ -0,0 +1,199 @@
	1	const db = require('../../initializers/database')
	2	import { checkErrors } from './utils'
	3	import { CONSTRAINTS_FIELDS, SEARCHABLE_COLUMNS } from '../../initializers'
	4	import { logger, isVideoDurationValid } from '../../helpers'
	5
	6	function videosAddValidator (req, res, next) {
	7	req.checkBody('videofile', 'Should have a valid file').isVideoFile(req.files)
	8	req.checkBody('name', 'Should have a valid name').isVideoNameValid()
	9	req.checkBody('category', 'Should have a valid category').isVideoCategoryValid()
	10	req.checkBody('licence', 'Should have a valid licence').isVideoLicenceValid()
	11	req.checkBody('language', 'Should have a valid language').optional().isVideoLanguageValid()
	12	req.checkBody('nsfw', 'Should have a valid NSFW attribute').isVideoNSFWValid()
	13	req.checkBody('description', 'Should have a valid description').isVideoDescriptionValid()
	14	req.checkBody('tags', 'Should have correct tags').optional().isVideoTagsValid()
	15
	16	logger.debug('Checking videosAdd parameters', { parameters: req.body, files: req.files })
	17
	18	checkErrors(req, res, function () {
	19	const videoFile = req.files.videofile[0]
	20
	21	db.Video.getDurationFromFile(videoFile.path, function (err, duration) {
	22	if (err) {
	23	return res.status(400).send('Cannot retrieve metadata of the file.')
	24	}
	25
	26	if (!isVideoDurationValid(duration)) {
	27	return res.status(400).send('Duration of the video file is too big (max: ' + CONSTRAINTS_FIELDS.VIDEOS.DURATION.max + 's).')
	28	}
	29
	30	videoFile.duration = duration
	31	next()
	32	})
	33	})
	34	}
	35
	36	function videosUpdateValidator (req, res, next) {
	37	req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
	38	req.checkBody('name', 'Should have a valid name').optional().isVideoNameValid()
	39	req.checkBody('category', 'Should have a valid category').optional().isVideoCategoryValid()
	40	req.checkBody('licence', 'Should have a valid licence').optional().isVideoLicenceValid()
	41	req.checkBody('language', 'Should have a valid language').optional().isVideoLanguageValid()
	42	req.checkBody('nsfw', 'Should have a valid NSFW attribute').optional().isVideoNSFWValid()
	43	req.checkBody('description', 'Should have a valid description').optional().isVideoDescriptionValid()
	44	req.checkBody('tags', 'Should have correct tags').optional().isVideoTagsValid()
	45
	46	logger.debug('Checking videosUpdate parameters', { parameters: req.body })
	47
	48	checkErrors(req, res, function () {
	49	checkVideoExists(req.params.id, res, function () {
	50	// We need to make additional checks
	51	if (res.locals.video.isOwned() === false) {
	52	return res.status(403).send('Cannot update video of another pod')
	53	}
	54
	55	if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
	56	return res.status(403).send('Cannot update video of another user')
	57	}
	58
	59	next()
	60	})
	61	})
	62	}
	63
	64	function videosGetValidator (req, res, next) {
	65	req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
	66
	67	logger.debug('Checking videosGet parameters', { parameters: req.params })
	68
	69	checkErrors(req, res, function () {
	70	checkVideoExists(req.params.id, res, next)
	71	})
	72	}
	73
	74	function videosRemoveValidator (req, res, next) {
	75	req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
	76
	77	logger.debug('Checking videosRemove parameters', { parameters: req.params })
	78
	79	checkErrors(req, res, function () {
	80	checkVideoExists(req.params.id, res, function () {
	81	// We need to make additional checks
	82
	83	// Check if the user who did the request is able to delete the video
	84	checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, function () {
	85	next()
	86	})
	87	})
	88	})
	89	}
	90
	91	function videosSearchValidator (req, res, next) {
	92	const searchableColumns = SEARCHABLE_COLUMNS.VIDEOS
	93	req.checkParams('value', 'Should have a valid search').notEmpty()
	94	req.checkQuery('field', 'Should have correct searchable column').optional().isIn(searchableColumns)
	95
	96	logger.debug('Checking videosSearch parameters', { parameters: req.params })
	97
	98	checkErrors(req, res, next)
	99	}
	100
	101	function videoAbuseReportValidator (req, res, next) {
	102	req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
	103	req.checkBody('reason', 'Should have a valid reason').isVideoAbuseReasonValid()
	104
	105	logger.debug('Checking videoAbuseReport parameters', { parameters: req.body })
	106
	107	checkErrors(req, res, function () {
	108	checkVideoExists(req.params.id, res, next)
	109	})
	110	}
	111
	112	function videoRateValidator (req, res, next) {
	113	req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
	114	req.checkBody('rating', 'Should have a valid rate type').isVideoRatingTypeValid()
	115
	116	logger.debug('Checking videoRate parameters', { parameters: req.body })
	117
	118	checkErrors(req, res, function () {
	119	checkVideoExists(req.params.id, res, next)
	120	})
	121	}
	122
	123	function videosBlacklistValidator (req, res, next) {
	124	req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
	125
	126	logger.debug('Checking videosBlacklist parameters', { parameters: req.params })
	127
	128	checkErrors(req, res, function () {
	129	checkVideoExists(req.params.id, res, function () {
	130	checkVideoIsBlacklistable(req, res, next)
	131	})
	132	})
	133	}
	134
	135	// ---------------------------------------------------------------------------
	136
	137	export {
	138	videosAddValidator,
	139	videosUpdateValidator,
	140	videosGetValidator,
	141	videosRemoveValidator,
	142	videosSearchValidator,
	143
	144	videoAbuseReportValidator,
	145
	146	videoRateValidator,
	147
	148	videosBlacklistValidator
	149	}
	150
	151	// ---------------------------------------------------------------------------
	152
	153	function checkVideoExists (id, res, callback) {
	154	db.Video.loadAndPopulateAuthorAndPodAndTags(id, function (err, video) {
	155	if (err) {
	156	logger.error('Error in video request validator.', { error: err })
	157	return res.sendStatus(500)
	158	}
	159
	160	if (!video) return res.status(404).send('Video not found')
	161
	162	res.locals.video = video
	163	callback()
	164	})
	165	}
	166
	167	function checkUserCanDeleteVideo (userId, res, callback) {
	168	// Retrieve the user who did the request
	169	db.User.loadById(userId, function (err, user) {
	170	if (err) {
	171	logger.error('Error in video request validator.', { error: err })
	172	return res.sendStatus(500)
	173	}
	174
	175	// Check if the user can delete the video
	176	// The user can delete it if s/he is an admin
	177	// Or if s/he is the video's author
	178	if (user.isAdmin() === false) {
	179	if (res.locals.video.isOwned() === false) {
	180	return res.status(403).send('Cannot remove video of another pod')
	181	}
	182
	183	if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
	184	return res.status(403).send('Cannot remove video of another user')
	185	}
	186	}
	187
	188	// If we reach this comment, we can delete the video
	189	callback()
	190	})
	191	}
	192
	193	function checkVideoIsBlacklistable (req, res, callback) {
	194	if (res.locals.video.isOwned() === true) {
	195	return res.status(403).send('Cannot blacklist a local video')
	196	}
	197
	198	callback()
	199	}