aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares/validators
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares/validators')
-rw-r--r--server/middlewares/validators/videos/video-comments.ts17
1 files changed, 11 insertions, 6 deletions
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index da2fafb10..8fa2d8561 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -9,8 +9,8 @@ import { areValidationErrors } from '../utils'
9import { Hooks } from '../../../lib/plugins/hooks' 9import { Hooks } from '../../../lib/plugins/hooks'
10import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation' 10import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
11import { doesVideoExist } from '../../../helpers/middlewares' 11import { doesVideoExist } from '../../../helpers/middlewares'
12import { MCommentOwner, MVideo, MVideoFullLight, MVideoId } from '../../../typings/models/video' 12import { MCommentOwner, MVideo, MVideoFullLight, MVideoId, MCommentOwnerVideoReply } from '../../../typings/models/video'
13import { MUser } from '@server/typings/models' 13import { MUser, MUserAccountUrl } from '@server/typings/models'
14 14
15const listVideoCommentThreadsValidator = [ 15const listVideoCommentThreadsValidator = [
16 param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'), 16 param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'),
@@ -188,7 +188,7 @@ function isVideoCommentsEnabled (video: MVideo, res: express.Response) {
188 return true 188 return true
189} 189}
190 190
191function checkUserCanDeleteVideoComment (user: MUser, videoComment: MCommentOwner, res: express.Response) { 191function checkUserCanDeleteVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) {
192 if (videoComment.isDeleted()) { 192 if (videoComment.isDeleted()) {
193 res.status(409) 193 res.status(409)
194 .json({ error: 'This comment is already deleted' }) 194 .json({ error: 'This comment is already deleted' })
@@ -196,11 +196,16 @@ function checkUserCanDeleteVideoComment (user: MUser, videoComment: MCommentOwne
196 return false 196 return false
197 } 197 }
198 198
199 const account = videoComment.Account 199 const userAccount = user.Account
200 if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && account.userId !== user.id) { 200
201 if (
202 user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && // Not a moderator
203 videoComment.accountId !== userAccount.id && // Not the comment owner
204 videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner
205 ) {
201 res.status(403) 206 res.status(403)
202 .json({ error: 'Cannot remove video comment of another user' }) 207 .json({ error: 'Cannot remove video comment of another user' })
203 .end() 208
204 return false 209 return false
205 } 210 }
206 211