aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/validators/video-channels.ts18
1 files changed, 18 insertions, 0 deletions
diff --git a/server/middlewares/validators/video-channels.ts b/server/middlewares/validators/video-channels.ts
index e3a11a41b..9e6f459cf 100644
--- a/server/middlewares/validators/video-channels.ts
+++ b/server/middlewares/validators/video-channels.ts
@@ -11,6 +11,7 @@ import { logger } from '../../helpers/logger'
11import { UserModel } from '../../models/account/user' 11import { UserModel } from '../../models/account/user'
12import { VideoChannelModel } from '../../models/video/video-channel' 12import { VideoChannelModel } from '../../models/video/video-channel'
13import { areValidationErrors } from './utils' 13import { areValidationErrors } from './utils'
14import { AccountModel } from '../../models/account/account'
14 15
15const listVideoAccountChannelsValidator = [ 16const listVideoAccountChannelsValidator = [
16 param('accountId').custom(isIdOrUUIDValid).withMessage('Should have a valid account id'), 17 param('accountId').custom(isIdOrUUIDValid).withMessage('Should have a valid account id'),
@@ -53,6 +54,7 @@ const videoChannelsUpdateValidator = [
53 if (areValidationErrors(req, res)) return 54 if (areValidationErrors(req, res)) return
54 if (!await isAccountIdExist(req.params.accountId, res)) return 55 if (!await isAccountIdExist(req.params.accountId, res)) return
55 if (!await isVideoChannelExist(req.params.id, res)) return 56 if (!await isVideoChannelExist(req.params.id, res)) return
57 if (!checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return
56 58
57 // We need to make additional checks 59 // We need to make additional checks
58 if (res.locals.videoChannel.Actor.isOwned() === false) { 60 if (res.locals.videoChannel.Actor.isOwned() === false) {
@@ -82,6 +84,7 @@ const videoChannelsRemoveValidator = [
82 if (!await isAccountIdExist(req.params.accountId, res)) return 84 if (!await isAccountIdExist(req.params.accountId, res)) return
83 if (!await isVideoChannelExist(req.params.id, res)) return 85 if (!await isVideoChannelExist(req.params.id, res)) return
84 86
87 if (!checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return
85 // Check if the user who did the request is able to delete the video 88 // Check if the user who did the request is able to delete the video
86 if (!checkUserCanDeleteVideoChannel(res.locals.oauth.token.User, res.locals.videoChannel, res)) return 89 if (!checkUserCanDeleteVideoChannel(res.locals.oauth.token.User, res.locals.videoChannel, res)) return
87 if (!await checkVideoChannelIsNotTheLastOne(res)) return 90 if (!await checkVideoChannelIsNotTheLastOne(res)) return
@@ -98,10 +101,13 @@ const videoChannelsGetValidator = [
98 logger.debug('Checking videoChannelsGet parameters', { parameters: req.params }) 101 logger.debug('Checking videoChannelsGet parameters', { parameters: req.params })
99 102
100 if (areValidationErrors(req, res)) return 103 if (areValidationErrors(req, res)) return
104
101 // On some routes, accountId is optional (for example in the ActivityPub route) 105 // On some routes, accountId is optional (for example in the ActivityPub route)
102 if (req.params.accountId && !await isAccountIdExist(req.params.accountId, res)) return 106 if (req.params.accountId && !await isAccountIdExist(req.params.accountId, res)) return
103 if (!await isVideoChannelExist(req.params.id, res)) return 107 if (!await isVideoChannelExist(req.params.id, res)) return
104 108
109 if (res.locals.account && !checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return
110
105 return next() 111 return next()
106 } 112 }
107] 113]
@@ -154,3 +160,15 @@ async function checkVideoChannelIsNotTheLastOne (res: express.Response) {
154 160
155 return true 161 return true
156} 162}
163
164function checkAccountOwnsVideoChannel (account: AccountModel, videoChannel: VideoChannelModel, res: express.Response) {
165 if (videoChannel.Account.id !== account.id) {
166 res.status(400)
167 .json({ error: 'This account does not own this video channel' })
168 .end()
169
170 return false
171 }
172
173 return true
174}