aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/admin.ts20
-rw-r--r--server/middlewares/index.ts2
-rw-r--r--server/middlewares/user-right.ts24
-rw-r--r--server/middlewares/validators/users.ts5
-rw-r--r--server/middlewares/validators/video-channels.ts6
-rw-r--r--server/middlewares/validators/videos.ts3
6 files changed, 35 insertions, 25 deletions
diff --git a/server/middlewares/admin.ts b/server/middlewares/admin.ts
deleted file mode 100644
index 812397352..000000000
--- a/server/middlewares/admin.ts
+++ /dev/null
@@ -1,20 +0,0 @@
1import 'express-validator'
2import * as express from 'express'
3
4import { logger } from '../helpers'
5
6function ensureIsAdmin (req: express.Request, res: express.Response, next: express.NextFunction) {
7 const user = res.locals.oauth.token.user
8 if (user.isAdmin() === false) {
9 logger.info('A non admin user is trying to access to an admin content.')
10 return res.sendStatus(403)
11 }
12
13 return next()
14}
15
16// ---------------------------------------------------------------------------
17
18export {
19 ensureIsAdmin
20}
diff --git a/server/middlewares/index.ts b/server/middlewares/index.ts
index 0e2c850e1..cec3e0b2a 100644
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -1,5 +1,4 @@
1export * from './validators' 1export * from './validators'
2export * from './admin'
3export * from './async' 2export * from './async'
4export * from './oauth' 3export * from './oauth'
5export * from './pagination' 4export * from './pagination'
@@ -7,3 +6,4 @@ export * from './pods'
7export * from './search' 6export * from './search'
8export * from './secure' 7export * from './secure'
9export * from './sort' 8export * from './sort'
9export * from './user-right'
diff --git a/server/middlewares/user-right.ts b/server/middlewares/user-right.ts
new file mode 100644
index 000000000..bcebe9d7f
--- /dev/null
+++ b/server/middlewares/user-right.ts
@@ -0,0 +1,24 @@
1import 'express-validator'
2import * as express from 'express'
3
4import { UserInstance } from '../models'
5import { UserRight } from '../../shared'
6import { logger } from '../helpers'
7
8function ensureUserHasRight (userRight: UserRight) {
9 return function (req: express.Request, res: express.Response, next: express.NextFunction) {
10 const user: UserInstance = res.locals.oauth.token.user
11 if (user.hasRight(userRight) === false) {
12 logger.info('User %s does not have right %s to access to %s.', user.username, UserRight[userRight], req.path)
13 return res.sendStatus(403)
14 }
15
16 return next()
17 }
18}
19
20// ---------------------------------------------------------------------------
21
22export {
23 ensureUserHasRight
24}
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 1a33cfd8c..0b463acc0 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -13,7 +13,8 @@ import {
13 isUserPasswordValid, 13 isUserPasswordValid,
14 isUserVideoQuotaValid, 14 isUserVideoQuotaValid,
15 isUserDisplayNSFWValid, 15 isUserDisplayNSFWValid,
16 isIdOrUUIDValid 16 isIdOrUUIDValid,
17 isUserRoleValid
17} from '../../helpers' 18} from '../../helpers'
18import { UserInstance, VideoInstance } from '../../models' 19import { UserInstance, VideoInstance } from '../../models'
19 20
@@ -22,6 +23,7 @@ const usersAddValidator = [
22 body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'), 23 body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'),
23 body('email').isEmail().withMessage('Should have a valid email'), 24 body('email').isEmail().withMessage('Should have a valid email'),
24 body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'), 25 body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
26 body('role').custom(isUserRoleValid).withMessage('Should have a valid role'),
25 27
26 (req: express.Request, res: express.Response, next: express.NextFunction) => { 28 (req: express.Request, res: express.Response, next: express.NextFunction) => {
27 logger.debug('Checking usersAdd parameters', { parameters: req.body }) 29 logger.debug('Checking usersAdd parameters', { parameters: req.body })
@@ -75,6 +77,7 @@ const usersUpdateValidator = [
75 param('id').isInt().not().isEmpty().withMessage('Should have a valid id'), 77 param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
76 body('email').optional().isEmail().withMessage('Should have a valid email attribute'), 78 body('email').optional().isEmail().withMessage('Should have a valid email attribute'),
77 body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'), 79 body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
80 body('role').optional().custom(isUserRoleValid).withMessage('Should have a valid role'),
78 81
79 (req: express.Request, res: express.Response, next: express.NextFunction) => { 82 (req: express.Request, res: express.Response, next: express.NextFunction) => {
80 logger.debug('Checking usersUpdate parameters', { parameters: req.body }) 83 logger.debug('Checking usersUpdate parameters', { parameters: req.body })
diff --git a/server/middlewares/validators/video-channels.ts b/server/middlewares/validators/video-channels.ts
index 979fbd34a..7d611728b 100644
--- a/server/middlewares/validators/video-channels.ts
+++ b/server/middlewares/validators/video-channels.ts
@@ -11,6 +11,8 @@ import {
11 checkVideoChannelExists, 11 checkVideoChannelExists,
12 checkVideoAuthorExists 12 checkVideoAuthorExists
13} from '../../helpers' 13} from '../../helpers'
14import { UserInstance } from '../../models'
15import { UserRight } from '../../../shared'
14 16
15const listVideoAuthorChannelsValidator = [ 17const listVideoAuthorChannelsValidator = [
16 param('authorId').custom(isIdOrUUIDValid).withMessage('Should have a valid author id'), 18 param('authorId').custom(isIdOrUUIDValid).withMessage('Should have a valid author id'),
@@ -106,7 +108,7 @@ export {
106// --------------------------------------------------------------------------- 108// ---------------------------------------------------------------------------
107 109
108function checkUserCanDeleteVideoChannel (res: express.Response, callback: () => void) { 110function checkUserCanDeleteVideoChannel (res: express.Response, callback: () => void) {
109 const user = res.locals.oauth.token.User 111 const user: UserInstance = res.locals.oauth.token.User
110 112
111 // Retrieve the user who did the request 113 // Retrieve the user who did the request
112 if (res.locals.videoChannel.isOwned() === false) { 114 if (res.locals.videoChannel.isOwned() === false) {
@@ -118,7 +120,7 @@ function checkUserCanDeleteVideoChannel (res: express.Response, callback: () =>
118 // Check if the user can delete the video channel 120 // Check if the user can delete the video channel
119 // The user can delete it if s/he is an admin 121 // The user can delete it if s/he is an admin
120 // Or if s/he is the video channel's author 122 // Or if s/he is the video channel's author
121 if (user.isAdmin() === false && res.locals.videoChannel.Author.userId !== user.id) { 123 if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_CHANNEL) === false && res.locals.videoChannel.Author.userId !== user.id) {
122 return res.status(403) 124 return res.status(403)
123 .json({ error: 'Cannot remove video channel of another user' }) 125 .json({ error: 'Cannot remove video channel of another user' })
124 .end() 126 .end()
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index a032d14ce..0c07404c5 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -22,6 +22,7 @@ import {
22 checkVideoExists, 22 checkVideoExists,
23 isIdValid 23 isIdValid
24} from '../../helpers' 24} from '../../helpers'
25import { UserRight } from '../../../shared'
25 26
26const videosAddValidator = [ 27const videosAddValidator = [
27 body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage( 28 body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage(
@@ -231,7 +232,7 @@ function checkUserCanDeleteVideo (userId: number, res: express.Response, callbac
231 // Check if the user can delete the video 232 // Check if the user can delete the video
232 // The user can delete it if s/he is an admin 233 // The user can delete it if s/he is an admin
233 // Or if s/he is the video's author 234 // Or if s/he is the video's author
234 if (user.isAdmin() === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { 235 if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
235 return res.status(403) 236 return res.status(403)
236 .json({ error: 'Cannot remove video of another user' }) 237 .json({ error: 'Cannot remove video of another user' })
237 .end() 238 .end()