aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares/validators
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares/validators')
-rw-r--r--server/middlewares/validators/video-comments.ts35
-rw-r--r--server/middlewares/validators/videos.ts2
2 files changed, 35 insertions, 2 deletions
diff --git a/server/middlewares/validators/video-comments.ts b/server/middlewares/validators/video-comments.ts
index ade0b7b9f..63804da30 100644
--- a/server/middlewares/validators/video-comments.ts
+++ b/server/middlewares/validators/video-comments.ts
@@ -1,9 +1,11 @@
1import * as express from 'express' 1import * as express from 'express'
2import { body, param } from 'express-validator/check' 2import { body, param } from 'express-validator/check'
3import { UserRight } from '../../../shared'
3import { isIdOrUUIDValid, isIdValid } from '../../helpers/custom-validators/misc' 4import { isIdOrUUIDValid, isIdValid } from '../../helpers/custom-validators/misc'
4import { isValidVideoCommentText } from '../../helpers/custom-validators/video-comments' 5import { isValidVideoCommentText } from '../../helpers/custom-validators/video-comments'
5import { isVideoExist } from '../../helpers/custom-validators/videos' 6import { isVideoExist } from '../../helpers/custom-validators/videos'
6import { logger } from '../../helpers/logger' 7import { logger } from '../../helpers/logger'
8import { UserModel } from '../../models/account/user'
7import { VideoModel } from '../../models/video/video' 9import { VideoModel } from '../../models/video/video'
8import { VideoCommentModel } from '../../models/video/video-comment' 10import { VideoCommentModel } from '../../models/video/video-comment'
9import { areValidationErrors } from './utils' 11import { areValidationErrors } from './utils'
@@ -83,6 +85,24 @@ const videoCommentGetValidator = [
83 } 85 }
84] 86]
85 87
88const removeVideoCommentValidator = [
89 param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'),
90 param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'),
91
92 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
93 logger.debug('Checking removeVideoCommentValidator parameters.', { parameters: req.params })
94
95 if (areValidationErrors(req, res)) return
96 if (!await isVideoExist(req.params.videoId, res)) return
97 if (!await isVideoCommentExist(req.params.commentId, res.locals.video, res)) return
98
99 // Check if the user who did the request is able to delete the video
100 if (!checkUserCanDeleteVideoComment(res.locals.oauth.token.User, res.locals.videoComment, res)) return
101
102 return next()
103 }
104]
105
86// --------------------------------------------------------------------------- 106// ---------------------------------------------------------------------------
87 107
88export { 108export {
@@ -90,7 +110,8 @@ export {
90 listVideoThreadCommentsValidator, 110 listVideoThreadCommentsValidator,
91 addVideoCommentThreadValidator, 111 addVideoCommentThreadValidator,
92 addVideoCommentReplyValidator, 112 addVideoCommentReplyValidator,
93 videoCommentGetValidator 113 videoCommentGetValidator,
114 removeVideoCommentValidator
94} 115}
95 116
96// --------------------------------------------------------------------------- 117// ---------------------------------------------------------------------------
@@ -160,3 +181,15 @@ function isVideoCommentsEnabled (video: VideoModel, res: express.Response) {
160 181
161 return true 182 return true
162} 183}
184
185function checkUserCanDeleteVideoComment (user: UserModel, videoComment: VideoCommentModel, res: express.Response) {
186 const account = videoComment.Account
187 if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && account.userId !== user.id) {
188 res.status(403)
189 .json({ error: 'Cannot remove video comment of another user' })
190 .end()
191 return false
192 }
193
194 return true
195}
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index e8cb2ae03..1acb306c0 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -253,7 +253,7 @@ function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: expre
253 } 253 }
254 254
255 // Check if the user can delete the video 255 // Check if the user can delete the video
256 // The user can delete it if s/he is an admin 256 // The user can delete it if he has the right
257 // Or if s/he is the video's account 257 // Or if s/he is the video's account
258 const account = video.VideoChannel.Account 258 const account = video.VideoChannel.Account
259 if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) { 259 if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) {