diff options
Diffstat (limited to 'server/middlewares/validators')
-rw-r--r-- | server/middlewares/validators/video-comments.ts | 35 | ||||
-rw-r--r-- | server/middlewares/validators/videos.ts | 2 |
2 files changed, 35 insertions, 2 deletions
diff --git a/server/middlewares/validators/video-comments.ts b/server/middlewares/validators/video-comments.ts index ade0b7b9f..63804da30 100644 --- a/server/middlewares/validators/video-comments.ts +++ b/server/middlewares/validators/video-comments.ts | |||
@@ -1,9 +1,11 @@ | |||
1 | import * as express from 'express' | 1 | import * as express from 'express' |
2 | import { body, param } from 'express-validator/check' | 2 | import { body, param } from 'express-validator/check' |
3 | import { UserRight } from '../../../shared' | ||
3 | import { isIdOrUUIDValid, isIdValid } from '../../helpers/custom-validators/misc' | 4 | import { isIdOrUUIDValid, isIdValid } from '../../helpers/custom-validators/misc' |
4 | import { isValidVideoCommentText } from '../../helpers/custom-validators/video-comments' | 5 | import { isValidVideoCommentText } from '../../helpers/custom-validators/video-comments' |
5 | import { isVideoExist } from '../../helpers/custom-validators/videos' | 6 | import { isVideoExist } from '../../helpers/custom-validators/videos' |
6 | import { logger } from '../../helpers/logger' | 7 | import { logger } from '../../helpers/logger' |
8 | import { UserModel } from '../../models/account/user' | ||
7 | import { VideoModel } from '../../models/video/video' | 9 | import { VideoModel } from '../../models/video/video' |
8 | import { VideoCommentModel } from '../../models/video/video-comment' | 10 | import { VideoCommentModel } from '../../models/video/video-comment' |
9 | import { areValidationErrors } from './utils' | 11 | import { areValidationErrors } from './utils' |
@@ -83,6 +85,24 @@ const videoCommentGetValidator = [ | |||
83 | } | 85 | } |
84 | ] | 86 | ] |
85 | 87 | ||
88 | const removeVideoCommentValidator = [ | ||
89 | param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'), | ||
90 | param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'), | ||
91 | |||
92 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | ||
93 | logger.debug('Checking removeVideoCommentValidator parameters.', { parameters: req.params }) | ||
94 | |||
95 | if (areValidationErrors(req, res)) return | ||
96 | if (!await isVideoExist(req.params.videoId, res)) return | ||
97 | if (!await isVideoCommentExist(req.params.commentId, res.locals.video, res)) return | ||
98 | |||
99 | // Check if the user who did the request is able to delete the video | ||
100 | if (!checkUserCanDeleteVideoComment(res.locals.oauth.token.User, res.locals.videoComment, res)) return | ||
101 | |||
102 | return next() | ||
103 | } | ||
104 | ] | ||
105 | |||
86 | // --------------------------------------------------------------------------- | 106 | // --------------------------------------------------------------------------- |
87 | 107 | ||
88 | export { | 108 | export { |
@@ -90,7 +110,8 @@ export { | |||
90 | listVideoThreadCommentsValidator, | 110 | listVideoThreadCommentsValidator, |
91 | addVideoCommentThreadValidator, | 111 | addVideoCommentThreadValidator, |
92 | addVideoCommentReplyValidator, | 112 | addVideoCommentReplyValidator, |
93 | videoCommentGetValidator | 113 | videoCommentGetValidator, |
114 | removeVideoCommentValidator | ||
94 | } | 115 | } |
95 | 116 | ||
96 | // --------------------------------------------------------------------------- | 117 | // --------------------------------------------------------------------------- |
@@ -160,3 +181,15 @@ function isVideoCommentsEnabled (video: VideoModel, res: express.Response) { | |||
160 | 181 | ||
161 | return true | 182 | return true |
162 | } | 183 | } |
184 | |||
185 | function checkUserCanDeleteVideoComment (user: UserModel, videoComment: VideoCommentModel, res: express.Response) { | ||
186 | const account = videoComment.Account | ||
187 | if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && account.userId !== user.id) { | ||
188 | res.status(403) | ||
189 | .json({ error: 'Cannot remove video comment of another user' }) | ||
190 | .end() | ||
191 | return false | ||
192 | } | ||
193 | |||
194 | return true | ||
195 | } | ||
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index e8cb2ae03..1acb306c0 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts | |||
@@ -253,7 +253,7 @@ function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: expre | |||
253 | } | 253 | } |
254 | 254 | ||
255 | // Check if the user can delete the video | 255 | // Check if the user can delete the video |
256 | // The user can delete it if s/he is an admin | 256 | // The user can delete it if he has the right |
257 | // Or if s/he is the video's account | 257 | // Or if s/he is the video's account |
258 | const account = video.VideoChannel.Account | 258 | const account = video.VideoChannel.Account |
259 | if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) { | 259 | if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) { |