diff options
Diffstat (limited to 'server/middlewares/validators')
-rw-r--r-- | server/middlewares/validators/videos/video-comments.ts | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts index da2fafb10..8fa2d8561 100644 --- a/server/middlewares/validators/videos/video-comments.ts +++ b/server/middlewares/validators/videos/video-comments.ts | |||
@@ -9,8 +9,8 @@ import { areValidationErrors } from '../utils' | |||
9 | import { Hooks } from '../../../lib/plugins/hooks' | 9 | import { Hooks } from '../../../lib/plugins/hooks' |
10 | import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation' | 10 | import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation' |
11 | import { doesVideoExist } from '../../../helpers/middlewares' | 11 | import { doesVideoExist } from '../../../helpers/middlewares' |
12 | import { MCommentOwner, MVideo, MVideoFullLight, MVideoId } from '../../../typings/models/video' | 12 | import { MCommentOwner, MVideo, MVideoFullLight, MVideoId, MCommentOwnerVideoReply } from '../../../typings/models/video' |
13 | import { MUser } from '@server/typings/models' | 13 | import { MUser, MUserAccountUrl } from '@server/typings/models' |
14 | 14 | ||
15 | const listVideoCommentThreadsValidator = [ | 15 | const listVideoCommentThreadsValidator = [ |
16 | param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'), | 16 | param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'), |
@@ -188,7 +188,7 @@ function isVideoCommentsEnabled (video: MVideo, res: express.Response) { | |||
188 | return true | 188 | return true |
189 | } | 189 | } |
190 | 190 | ||
191 | function checkUserCanDeleteVideoComment (user: MUser, videoComment: MCommentOwner, res: express.Response) { | 191 | function checkUserCanDeleteVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) { |
192 | if (videoComment.isDeleted()) { | 192 | if (videoComment.isDeleted()) { |
193 | res.status(409) | 193 | res.status(409) |
194 | .json({ error: 'This comment is already deleted' }) | 194 | .json({ error: 'This comment is already deleted' }) |
@@ -196,11 +196,16 @@ function checkUserCanDeleteVideoComment (user: MUser, videoComment: MCommentOwne | |||
196 | return false | 196 | return false |
197 | } | 197 | } |
198 | 198 | ||
199 | const account = videoComment.Account | 199 | const userAccount = user.Account |
200 | if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && account.userId !== user.id) { | 200 | |
201 | if ( | ||
202 | user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && // Not a moderator | ||
203 | videoComment.accountId !== userAccount.id && // Not the comment owner | ||
204 | videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner | ||
205 | ) { | ||
201 | res.status(403) | 206 | res.status(403) |
202 | .json({ error: 'Cannot remove video comment of another user' }) | 207 | .json({ error: 'Cannot remove video comment of another user' }) |
203 | .end() | 208 | |
204 | return false | 209 | return false |
205 | } | 210 | } |
206 | 211 | ||