6 files changed, 217 insertions, 65 deletions

diff --git a/server/middlewares/validators/videos/index.ts b/server/middlewares/validators/videos/index.ts
index 294783d85..a0d585b93 100644
--- a/server/middlewares/validators/videos/index.ts
+++ b/server/middlewares/validators/videos/index.ts
@@ -5,4 +5,6 @@ export * from './video-channels'
 export * from './video-comments'
 export * from './video-imports'
 export * from './video-watch'
+export * from './video-rates'
+export * from './video-shares'
 export * from './videos'
diff --git a/server/middlewares/validators/videos/video-blacklist.ts b/server/middlewares/validators/videos/video-blacklist.ts
index 13da7acff..2688f63ae 100644
--- a/server/middlewares/validators/videos/video-blacklist.ts
+++ b/server/middlewares/validators/videos/video-blacklist.ts
@@ -1,10 +1,11 @@
 import * as express from 'express'
 import { body, param } from 'express-validator/check'
-import { isIdOrUUIDValid } from '../../../helpers/custom-validators/misc'
+import { isBooleanValid, isIdOrUUIDValid } from '../../../helpers/custom-validators/misc'
 import { isVideoExist } from '../../../helpers/custom-validators/videos'
 import { logger } from '../../../helpers/logger'
 import { areValidationErrors } from '../utils'
 import { isVideoBlacklistExist, isVideoBlacklistReasonValid } from '../../../helpers/custom-validators/video-blacklist'
+import { VideoModel } from '../../../models/video/video'
 
 const videosBlacklistRemoveValidator = [
   param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'),
@@ -22,6 +23,10 @@ const videosBlacklistRemoveValidator = [
 
 const videosBlacklistAddValidator = [
   param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'),
+  body('unfederate')
+    .optional()
+    .toBoolean()
+    .custom(isBooleanValid).withMessage('Should have a valid unfederate boolean'),
   body('reason')
     .optional()
     .custom(isVideoBlacklistReasonValid).withMessage('Should have a valid reason'),
@@ -32,6 +37,14 @@ const videosBlacklistAddValidator = [
     if (areValidationErrors(req, res)) return
     if (!await isVideoExist(req.params.videoId, res)) return
 
+    const video: VideoModel = res.locals.video
+    if (req.body.unfederate === true && video.remote === true) {
+      return res
+        .status(409)
+        .send({ error: 'You cannot unfederate a remote video.' })
+        .end()
+    }
+
     return next()
   }
 ]
diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts
new file mode 100644
index 000000000..793354520
--- /dev/null
+++ b/server/middlewares/validators/videos/video-rates.ts
@@ -0,0 +1,55 @@
+import * as express from 'express'
+import 'express-validator'
+import { body, param } from 'express-validator/check'
+import { isIdOrUUIDValid, isIdValid } from '../../../helpers/custom-validators/misc'
+import { isVideoExist, isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
+import { logger } from '../../../helpers/logger'
+import { areValidationErrors } from '../utils'
+import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
+import { VideoRateType } from '../../../../shared/models/videos'
+import { isAccountNameValid } from '../../../helpers/custom-validators/accounts'
+
+const videoUpdateRateValidator = [
+  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
+  body('rating').custom(isVideoRatingTypeValid).withMessage('Should have a valid rate type'),
+
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    logger.debug('Checking videoRate parameters', { parameters: req.body })
+
+    if (areValidationErrors(req, res)) return
+    if (!await isVideoExist(req.params.id, res)) return
+
+    return next()
+  }
+]
+
+const getAccountVideoRateValidator = function (rateType: VideoRateType) {
+  return [
+    param('name').custom(isAccountNameValid).withMessage('Should have a valid account name'),
+    param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'),
+
+    async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+      logger.debug('Checking videoCommentGetValidator parameters.', { parameters: req.params })
+
+      if (areValidationErrors(req, res)) return
+
+      const rate = await AccountVideoRateModel.loadLocalAndPopulateVideo(rateType, req.params.name, req.params.videoId)
+      if (!rate) {
+        return res.status(404)
+                  .json({ error: 'Video rate not found' })
+                  .end()
+      }
+
+      res.locals.accountVideoRate = rate
+
+      return next()
+    }
+  ]
+}
+
+// ---------------------------------------------------------------------------
+
+export {
+  videoUpdateRateValidator,
+  getAccountVideoRateValidator
+}
diff --git a/server/middlewares/validators/videos/video-shares.ts b/server/middlewares/validators/videos/video-shares.ts
new file mode 100644
index 000000000..646d7acb1
--- /dev/null
+++ b/server/middlewares/validators/videos/video-shares.ts
@@ -0,0 +1,38 @@
+import * as express from 'express'
+import 'express-validator'
+import { param } from 'express-validator/check'
+import { isIdOrUUIDValid, isIdValid } from '../../../helpers/custom-validators/misc'
+import { isVideoExist } from '../../../helpers/custom-validators/videos'
+import { logger } from '../../../helpers/logger'
+import { VideoShareModel } from '../../../models/video/video-share'
+import { areValidationErrors } from '../utils'
+import { VideoModel } from '../../../models/video/video'
+
+const videosShareValidator = [
+  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
+  param('actorId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid actor id'),
+
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    logger.debug('Checking videoShare parameters', { parameters: req.params })
+
+    if (areValidationErrors(req, res)) return
+    if (!await isVideoExist(req.params.id, res)) return
+
+    const video: VideoModel = res.locals.video
+
+    const share = await VideoShareModel.load(req.params.actorId, video.id)
+    if (!share) {
+      return res.status(404)
+                .end()
+    }
+
+    res.locals.videoShare = share
+    return next()
+  }
+]
+
+// ---------------------------------------------------------------------------
+
+export {
+  videosShareValidator
+}
diff --git a/server/middlewares/validators/videos/video-watch.ts b/server/middlewares/validators/videos/video-watch.ts
index bca64662f..c38ad8a10 100644
--- a/server/middlewares/validators/videos/video-watch.ts
+++ b/server/middlewares/validators/videos/video-watch.ts
@@ -4,6 +4,7 @@ import { isIdOrUUIDValid } from '../../../helpers/custom-validators/misc'
 import { isVideoExist } from '../../../helpers/custom-validators/videos'
 import { areValidationErrors } from '../utils'
 import { logger } from '../../../helpers/logger'
+import { UserModel } from '../../../models/account/user'
 
 const videoWatchingValidator = [
   param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
@@ -17,6 +18,12 @@ const videoWatchingValidator = [
     if (areValidationErrors(req, res)) return
     if (!await isVideoExist(req.params.videoId, res, 'id')) return
 
+    const user = res.locals.oauth.token.User as UserModel
+    if (user.videosHistoryEnabled === false) {
+      logger.warn('Cannot set videos to watch by user %d: videos history is disabled.', user.id)
+      return res.status(409).end()
+    }
+
     return next()
   }
 ]
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index 27e8a7449..d9626929c 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -1,6 +1,6 @@
 import * as express from 'express'
 import 'express-validator'
-import { body, param, ValidationChain } from 'express-validator/check'
+import { body, param, query, ValidationChain } from 'express-validator/check'
 import { UserRight, VideoChangeOwnershipStatus, VideoPrivacy } from '../../../../shared'
 import {
   isBooleanValid,
@@ -8,6 +8,7 @@ import {
   isIdOrUUIDValid,
   isIdValid,
   isUUIDValid,
+  toArray,
   toIntOrNull,
   toValueOrNull
 } from '../../../helpers/custom-validators/misc'
@@ -19,20 +20,19 @@ import {
   isVideoDescriptionValid,
   isVideoExist,
   isVideoFile,
+  isVideoFilterValid,
   isVideoImage,
   isVideoLanguageValid,
   isVideoLicenceValid,
   isVideoNameValid,
   isVideoPrivacyValid,
-  isVideoRatingTypeValid,
   isVideoSupportValid,
   isVideoTagsValid
 } from '../../../helpers/custom-validators/videos'
 import { getDurationFromVideoFile } from '../../../helpers/ffmpeg-utils'
 import { logger } from '../../../helpers/logger'
-import { CONSTRAINTS_FIELDS } from '../../../initializers'
-import { VideoShareModel } from '../../../models/video/video-share'
-import { authenticate } from '../../oauth'
+import { CONFIG, CONSTRAINTS_FIELDS } from '../../../initializers'
+import { authenticatePromiseIfNeeded } from '../../oauth'
 import { areValidationErrors } from '../utils'
 import { cleanUpReqFiles } from '../../../helpers/express-utils'
 import { VideoModel } from '../../../models/video/video'
@@ -42,6 +42,8 @@ import { VideoChangeOwnershipAccept } from '../../../../shared/models/videos/vid
 import { VideoChangeOwnershipModel } from '../../../models/video/video-change-ownership'
 import { AccountModel } from '../../../models/account/account'
 import { VideoFetchType } from '../../../helpers/video'
+import { isNSFWQueryValid, isNumberArray, isStringArray } from '../../../helpers/custom-validators/search'
+import { getServerActor } from '../../../helpers/utils'
 
 const videosAddValidator = getCommonVideoAttributes().concat([
   body('videofile')
@@ -69,7 +71,6 @@ const videosAddValidator = getCommonVideoAttributes().concat([
     if (isAble === false) {
       res.status(403)
          .json({ error: 'The user video quota is exceeded with this video.' })
-         .end()
 
       return cleanUpReqFiles(req)
     }
@@ -82,7 +83,6 @@ const videosAddValidator = getCommonVideoAttributes().concat([
       logger.error('Invalid input file in videosAddValidator.', { err })
       res.status(400)
          .json({ error: 'Invalid input file.' })
-         .end()
 
       return cleanUpReqFiles(req)
     }
@@ -120,7 +120,6 @@ const videosUpdateValidator = getCommonVideoAttributes().concat([
       cleanUpReqFiles(req)
       return res.status(409)
         .json({ error: 'Cannot set "private" a video that was not private.' })
-        .end()
     }
 
     if (req.body.channelId && !await isVideoChannelOfAccountExist(req.body.channelId, user, res)) return cleanUpReqFiles(req)
@@ -129,6 +128,31 @@ const videosUpdateValidator = getCommonVideoAttributes().concat([
   }
 ])
 
+async function checkVideoFollowConstraints (req: express.Request, res: express.Response, next: express.NextFunction) {
+  const video: VideoModel = res.locals.video
+
+  // Anybody can watch local videos
+  if (video.isOwned() === true) return next()
+
+  // Logged user
+  if (res.locals.oauth) {
+    // Users can search or watch remote videos
+    if (CONFIG.SEARCH.REMOTE_URI.USERS === true) return next()
+  }
+
+  // Anybody can search or watch remote videos
+  if (CONFIG.SEARCH.REMOTE_URI.ANONYMOUS === true) return next()
+
+  // Check our instance follows an actor that shared this video
+  const serverActor = await getServerActor()
+  if (await VideoModel.checkVideoHasInstanceFollow(video.id, serverActor.id) === true) return next()
+
+  return res.status(403)
+            .json({
+              error: 'Cannot get this video regarding follow constraints.'
+            })
+}
+
 const videosCustomGetValidator = (fetchType: VideoFetchType) => {
   return [
     param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
@@ -143,18 +167,20 @@ const videosCustomGetValidator = (fetchType: VideoFetchType) => {
 
       // Video private or blacklisted
       if (video.privacy === VideoPrivacy.PRIVATE || video.VideoBlacklist) {
-        return authenticate(req, res, () => {
-          const user: UserModel = res.locals.oauth.token.User
-
-          // Only the owner or a user that have blacklist rights can see the video
-          if (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)) {
-            return res.status(403)
-                      .json({ error: 'Cannot get this private or blacklisted video.' })
-                      .end()
-          }
-
-          return next()
-        })
+        await authenticatePromiseIfNeeded(req, res)
+
+        const user: UserModel = res.locals.oauth ? res.locals.oauth.token.User : null
+
+        // Only the owner or a user that have blacklist rights can see the video
+        if (
+          !user ||
+          (video.VideoChannel.Account.userId !== user.id && !user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST))
+        ) {
+          return res.status(403)
+                    .json({ error: 'Cannot get this private or blacklisted video.' })
+        }
+
+        return next()
       }
 
       // Video is public, anyone can access it
@@ -189,41 +215,6 @@ const videosRemoveValidator = [
   }
 ]
 
-const videoRateValidator = [
-  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
-  body('rating').custom(isVideoRatingTypeValid).withMessage('Should have a valid rate type'),
-
-  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
-    logger.debug('Checking videoRate parameters', { parameters: req.body })
-
-    if (areValidationErrors(req, res)) return
-    if (!await isVideoExist(req.params.id, res)) return
-
-    return next()
-  }
-]
-
-const videosShareValidator = [
-  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
-  param('accountId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid account id'),
-
-  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
-    logger.debug('Checking videoShare parameters', { parameters: req.params })
-
-    if (areValidationErrors(req, res)) return
-    if (!await isVideoExist(req.params.id, res)) return
-
-    const share = await VideoShareModel.load(req.params.accountId, res.locals.video.id, undefined)
-    if (!share) {
-      return res.status(404)
-        .end()
-    }
-
-    res.locals.videoShare = share
-    return next()
-  }
-]
-
 const videosChangeOwnershipValidator = [
   param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
 
@@ -239,8 +230,8 @@ const videosChangeOwnershipValidator = [
     const nextOwner = await AccountModel.loadLocalByName(req.body.username)
     if (!nextOwner) {
       res.status(400)
-        .type('json')
-        .end()
+        .json({ error: 'Changing video ownership to a remote account is not supported yet' })
+
       return
     }
     res.locals.nextOwner = nextOwner
@@ -271,7 +262,7 @@ const videosTerminateChangeOwnershipValidator = [
     } else {
       res.status(403)
         .json({ error: 'Ownership already accepted or refused' })
-        .end()
+
       return
     }
   }
@@ -288,7 +279,7 @@ const videosAcceptChangeOwnershipValidator = [
     if (isAble === false) {
       res.status(403)
         .json({ error: 'The user video quota is exceeded with this video.' })
-        .end()
+
       return
     }
 
@@ -367,23 +358,68 @@ function getCommonVideoAttributes () {
   ] as (ValidationChain | express.Handler)[]
 }
 
+const commonVideosFiltersValidator = [
+  query('categoryOneOf')
+    .optional()
+    .customSanitizer(toArray)
+    .custom(isNumberArray).withMessage('Should have a valid one of category array'),
+  query('licenceOneOf')
+    .optional()
+    .customSanitizer(toArray)
+    .custom(isNumberArray).withMessage('Should have a valid one of licence array'),
+  query('languageOneOf')
+    .optional()
+    .customSanitizer(toArray)
+    .custom(isStringArray).withMessage('Should have a valid one of language array'),
+  query('tagsOneOf')
+    .optional()
+    .customSanitizer(toArray)
+    .custom(isStringArray).withMessage('Should have a valid one of tags array'),
+  query('tagsAllOf')
+    .optional()
+    .customSanitizer(toArray)
+    .custom(isStringArray).withMessage('Should have a valid all of tags array'),
+  query('nsfw')
+    .optional()
+    .custom(isNSFWQueryValid).withMessage('Should have a valid NSFW attribute'),
+  query('filter')
+    .optional()
+    .custom(isVideoFilterValid).withMessage('Should have a valid filter attribute'),
+
+  (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    logger.debug('Checking commons video filters query', { parameters: req.query })
+
+    if (areValidationErrors(req, res)) return
+
+    const user: UserModel = res.locals.oauth ? res.locals.oauth.token.User : undefined
+    if (req.query.filter === 'all-local' && (!user || user.hasRight(UserRight.SEE_ALL_VIDEOS) === false)) {
+      res.status(401)
+         .json({ error: 'You are not allowed to see all local videos.' })
+
+      return
+    }
+
+    return next()
+  }
+]
+
 // ---------------------------------------------------------------------------
 
 export {
   videosAddValidator,
   videosUpdateValidator,
   videosGetValidator,
+  checkVideoFollowConstraints,
   videosCustomGetValidator,
   videosRemoveValidator,
-  videosShareValidator,
-
-  videoRateValidator,
 
   videosChangeOwnershipValidator,
   videosTerminateChangeOwnershipValidator,
   videosAcceptChangeOwnershipValidator,
 
-  getCommonVideoAttributes
+  getCommonVideoAttributes,
+
+  commonVideosFiltersValidator
 }
 
 // ---------------------------------------------------------------------------
@@ -391,9 +427,10 @@ export {
 function areErrorsInScheduleUpdate (req: express.Request, res: express.Response) {
   if (req.body.scheduleUpdate) {
     if (!req.body.scheduleUpdate.updateAt) {
+      logger.warn('Invalid parameters: scheduleUpdate.updateAt is mandatory.')
+
       res.status(400)
          .json({ error: 'Schedule update at is mandatory.' })
-         .end()
 
       return true
     }