aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares/validators
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares/validators')
-rw-r--r--server/middlewares/validators/videos.js63
1 files changed, 53 insertions, 10 deletions
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index c07825e50..86a7e39ae 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -15,7 +15,9 @@ const validatorsVideos = {
15 15
16 videoAbuseReport, 16 videoAbuseReport,
17 17
18 videoRate 18 videoRate,
19
20 videosBlacklist
19} 21}
20 22
21function videosAdd (req, res, next) { 23function videosAdd (req, res, next) {
@@ -95,15 +97,10 @@ function videosRemove (req, res, next) {
95 checkVideoExists(req.params.id, res, function () { 97 checkVideoExists(req.params.id, res, function () {
96 // We need to make additional checks 98 // We need to make additional checks
97 99
98 if (res.locals.video.isOwned() === false) { 100 // Check if the user who did the request is able to delete the video
99 return res.status(403).send('Cannot remove video of another pod') 101 checkUserCanDeleteVideo(res.locals.oauth.token.User.id, res, function () {
100 } 102 next()
101 103 })
102 if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
103 return res.status(403).send('Cannot remove video of another user')
104 }
105
106 next()
107 }) 104 })
108 }) 105 })
109} 106}
@@ -159,3 +156,49 @@ function checkVideoExists (id, res, callback) {
159 callback() 156 callback()
160 }) 157 })
161} 158}
159
160function checkUserCanDeleteVideo (userId, res, callback) {
161 // Retrieve the user who did the request
162 db.User.loadById(userId, function (err, user) {
163 if (err) {
164 logger.error('Error in video request validator.', { error: err })
165 return res.sendStatus(500)
166 }
167
168 // Check if the user can delete the video
169 // The user can delete it if s/he an admin
170 // Or if s/he is the video's author
171 if (user.isAdmin() === false) {
172 if (res.locals.video.isOwned() === false) {
173 return res.status(403).send('Cannot remove video of another pod')
174 }
175
176 if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
177 return res.status(403).send('Cannot remove video of another user')
178 }
179 }
180
181 // If we reach this comment, we can delete the video
182 callback()
183 })
184}
185
186function checkVideoIsBlacklistable (req, res, callback) {
187 if (res.locals.video.isOwned() === true) {
188 return res.status(403).send('Cannot blacklist a local video')
189 }
190
191 callback()
192}
193
194function videosBlacklist (req, res, next) {
195 req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
196
197 logger.debug('Checking videosBlacklist parameters', { parameters: req.params })
198
199 checkErrors(req, res, function () {
200 checkVideoExists(req.params.id, res, function() {
201 checkVideoIsBlacklistable(req, res, next)
202 })
203 })
204}