diff options
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/validators/video-channels.ts | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/server/middlewares/validators/video-channels.ts b/server/middlewares/validators/video-channels.ts index e3a11a41b..9e6f459cf 100644 --- a/server/middlewares/validators/video-channels.ts +++ b/server/middlewares/validators/video-channels.ts | |||
@@ -11,6 +11,7 @@ import { logger } from '../../helpers/logger' | |||
11 | import { UserModel } from '../../models/account/user' | 11 | import { UserModel } from '../../models/account/user' |
12 | import { VideoChannelModel } from '../../models/video/video-channel' | 12 | import { VideoChannelModel } from '../../models/video/video-channel' |
13 | import { areValidationErrors } from './utils' | 13 | import { areValidationErrors } from './utils' |
14 | import { AccountModel } from '../../models/account/account' | ||
14 | 15 | ||
15 | const listVideoAccountChannelsValidator = [ | 16 | const listVideoAccountChannelsValidator = [ |
16 | param('accountId').custom(isIdOrUUIDValid).withMessage('Should have a valid account id'), | 17 | param('accountId').custom(isIdOrUUIDValid).withMessage('Should have a valid account id'), |
@@ -53,6 +54,7 @@ const videoChannelsUpdateValidator = [ | |||
53 | if (areValidationErrors(req, res)) return | 54 | if (areValidationErrors(req, res)) return |
54 | if (!await isAccountIdExist(req.params.accountId, res)) return | 55 | if (!await isAccountIdExist(req.params.accountId, res)) return |
55 | if (!await isVideoChannelExist(req.params.id, res)) return | 56 | if (!await isVideoChannelExist(req.params.id, res)) return |
57 | if (!checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return | ||
56 | 58 | ||
57 | // We need to make additional checks | 59 | // We need to make additional checks |
58 | if (res.locals.videoChannel.Actor.isOwned() === false) { | 60 | if (res.locals.videoChannel.Actor.isOwned() === false) { |
@@ -82,6 +84,7 @@ const videoChannelsRemoveValidator = [ | |||
82 | if (!await isAccountIdExist(req.params.accountId, res)) return | 84 | if (!await isAccountIdExist(req.params.accountId, res)) return |
83 | if (!await isVideoChannelExist(req.params.id, res)) return | 85 | if (!await isVideoChannelExist(req.params.id, res)) return |
84 | 86 | ||
87 | if (!checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return | ||
85 | // Check if the user who did the request is able to delete the video | 88 | // Check if the user who did the request is able to delete the video |
86 | if (!checkUserCanDeleteVideoChannel(res.locals.oauth.token.User, res.locals.videoChannel, res)) return | 89 | if (!checkUserCanDeleteVideoChannel(res.locals.oauth.token.User, res.locals.videoChannel, res)) return |
87 | if (!await checkVideoChannelIsNotTheLastOne(res)) return | 90 | if (!await checkVideoChannelIsNotTheLastOne(res)) return |
@@ -98,10 +101,13 @@ const videoChannelsGetValidator = [ | |||
98 | logger.debug('Checking videoChannelsGet parameters', { parameters: req.params }) | 101 | logger.debug('Checking videoChannelsGet parameters', { parameters: req.params }) |
99 | 102 | ||
100 | if (areValidationErrors(req, res)) return | 103 | if (areValidationErrors(req, res)) return |
104 | |||
101 | // On some routes, accountId is optional (for example in the ActivityPub route) | 105 | // On some routes, accountId is optional (for example in the ActivityPub route) |
102 | if (req.params.accountId && !await isAccountIdExist(req.params.accountId, res)) return | 106 | if (req.params.accountId && !await isAccountIdExist(req.params.accountId, res)) return |
103 | if (!await isVideoChannelExist(req.params.id, res)) return | 107 | if (!await isVideoChannelExist(req.params.id, res)) return |
104 | 108 | ||
109 | if (res.locals.account && !checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return | ||
110 | |||
105 | return next() | 111 | return next() |
106 | } | 112 | } |
107 | ] | 113 | ] |
@@ -154,3 +160,15 @@ async function checkVideoChannelIsNotTheLastOne (res: express.Response) { | |||
154 | 160 | ||
155 | return true | 161 | return true |
156 | } | 162 | } |
163 | |||
164 | function checkAccountOwnsVideoChannel (account: AccountModel, videoChannel: VideoChannelModel, res: express.Response) { | ||
165 | if (videoChannel.Account.id !== account.id) { | ||
166 | res.status(400) | ||
167 | .json({ error: 'This account does not own this video channel' }) | ||
168 | .end() | ||
169 | |||
170 | return false | ||
171 | } | ||
172 | |||
173 | return true | ||
174 | } | ||