diff options
Diffstat (limited to 'server/middlewares/validators')
-rw-r--r-- | server/middlewares/validators/videos.js | 63 |
1 files changed, 53 insertions, 10 deletions
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js index c07825e50..86a7e39ae 100644 --- a/server/middlewares/validators/videos.js +++ b/server/middlewares/validators/videos.js | |||
@@ -15,7 +15,9 @@ const validatorsVideos = { | |||
15 | 15 | ||
16 | videoAbuseReport, | 16 | videoAbuseReport, |
17 | 17 | ||
18 | videoRate | 18 | videoRate, |
19 | |||
20 | videosBlacklist | ||
19 | } | 21 | } |
20 | 22 | ||
21 | function videosAdd (req, res, next) { | 23 | function videosAdd (req, res, next) { |
@@ -95,15 +97,10 @@ function videosRemove (req, res, next) { | |||
95 | checkVideoExists(req.params.id, res, function () { | 97 | checkVideoExists(req.params.id, res, function () { |
96 | // We need to make additional checks | 98 | // We need to make additional checks |
97 | 99 | ||
98 | if (res.locals.video.isOwned() === false) { | 100 | // Check if the user who did the request is able to delete the video |
99 | return res.status(403).send('Cannot remove video of another pod') | 101 | checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, function () { |
100 | } | 102 | next() |
101 | 103 | }) | |
102 | if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { | ||
103 | return res.status(403).send('Cannot remove video of another user') | ||
104 | } | ||
105 | |||
106 | next() | ||
107 | }) | 104 | }) |
108 | }) | 105 | }) |
109 | } | 106 | } |
@@ -159,3 +156,49 @@ function checkVideoExists (id, res, callback) { | |||
159 | callback() | 156 | callback() |
160 | }) | 157 | }) |
161 | } | 158 | } |
159 | |||
160 | function checkUserCanDeleteVideo (userId, res, callback) { | ||
161 | // Retrieve the user who did the request | ||
162 | db.User.loadById(userId, function (err, user) { | ||
163 | if (err) { | ||
164 | logger.error('Error in video request validator.', { error: err }) | ||
165 | return res.sendStatus(500) | ||
166 | } | ||
167 | |||
168 | // Check if the user can delete the video | ||
169 | // The user can delete it if s/he an admin | ||
170 | // Or if s/he is the video's author | ||
171 | if (user.isAdmin() === false) { | ||
172 | if (res.locals.video.isOwned() === false) { | ||
173 | return res.status(403).send('Cannot remove video of another pod') | ||
174 | } | ||
175 | |||
176 | if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { | ||
177 | return res.status(403).send('Cannot remove video of another user') | ||
178 | } | ||
179 | } | ||
180 | |||
181 | // If we reach this comment, we can delete the video | ||
182 | callback() | ||
183 | }) | ||
184 | } | ||
185 | |||
186 | function checkVideoIsBlacklistable (req, res, callback) { | ||
187 | if (res.locals.video.isOwned() === true) { | ||
188 | return res.status(403).send('Cannot blacklist a local video') | ||
189 | } | ||
190 | |||
191 | callback() | ||
192 | } | ||
193 | |||
194 | function videosBlacklist (req, res, next) { | ||
195 | req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4) | ||
196 | |||
197 | logger.debug('Checking videosBlacklist parameters', { parameters: req.params }) | ||
198 | |||
199 | checkErrors(req, res, function () { | ||
200 | checkVideoExists(req.params.id, res, function() { | ||
201 | checkVideoIsBlacklistable(req, res, next) | ||
202 | }) | ||
203 | }) | ||
204 | } | ||