aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/user-right.ts6
-rw-r--r--server/middlewares/validators/abuse.ts105
2 files changed, 99 insertions, 12 deletions
diff --git a/server/middlewares/user-right.ts b/server/middlewares/user-right.ts
index 4da7b9802..4d836485c 100644
--- a/server/middlewares/user-right.ts
+++ b/server/middlewares/user-right.ts
@@ -9,11 +9,7 @@ function ensureUserHasRight (userRight: UserRight) {
9 const message = `User ${user.username} does not have right ${UserRight[userRight]} to access to ${req.path}.` 9 const message = `User ${user.username} does not have right ${UserRight[userRight]} to access to ${req.path}.`
10 logger.info(message) 10 logger.info(message)
11 11
12 return res.status(403) 12 return res.status(403).json({ error: message })
13 .json({
14 error: message
15 })
16 .end()
17 } 13 }
18 14
19 return next() 15 return next()
diff --git a/server/middlewares/validators/abuse.ts b/server/middlewares/validators/abuse.ts
index 966d1f7fb..cb0bc658a 100644
--- a/server/middlewares/validators/abuse.ts
+++ b/server/middlewares/validators/abuse.ts
@@ -2,8 +2,9 @@ import * as express from 'express'
2import { body, param, query } from 'express-validator' 2import { body, param, query } from 'express-validator'
3import { 3import {
4 isAbuseFilterValid, 4 isAbuseFilterValid,
5 isAbuseMessageValid,
5 isAbuseModerationCommentValid, 6 isAbuseModerationCommentValid,
6 isAbusePredefinedReasonsValid, 7 areAbusePredefinedReasonsValid,
7 isAbusePredefinedReasonValid, 8 isAbusePredefinedReasonValid,
8 isAbuseReasonValid, 9 isAbuseReasonValid,
9 isAbuseStateValid, 10 isAbuseStateValid,
@@ -15,7 +16,8 @@ import { exists, isIdOrUUIDValid, isIdValid, toIntOrNull } from '@server/helpers
15import { doesCommentIdExist } from '@server/helpers/custom-validators/video-comments' 16import { doesCommentIdExist } from '@server/helpers/custom-validators/video-comments'
16import { logger } from '@server/helpers/logger' 17import { logger } from '@server/helpers/logger'
17import { doesAbuseExist, doesAccountIdExist, doesVideoAbuseExist, doesVideoExist } from '@server/helpers/middlewares' 18import { doesAbuseExist, doesAccountIdExist, doesVideoAbuseExist, doesVideoExist } from '@server/helpers/middlewares'
18import { AbuseCreate } from '@shared/models' 19import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
20import { AbuseCreate, UserRight } from '@shared/models'
19import { areValidationErrors } from './utils' 21import { areValidationErrors } from './utils'
20 22
21const abuseReportValidator = [ 23const abuseReportValidator = [
@@ -53,7 +55,7 @@ const abuseReportValidator = [
53 55
54 body('predefinedReasons') 56 body('predefinedReasons')
55 .optional() 57 .optional()
56 .custom(isAbusePredefinedReasonsValid) 58 .custom(areAbusePredefinedReasonsValid)
57 .withMessage('Should have a valid list of predefined reasons'), 59 .withMessage('Should have a valid list of predefined reasons'),
58 60
59 async (req: express.Request, res: express.Response, next: express.NextFunction) => { 61 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
@@ -111,7 +113,7 @@ const abuseUpdateValidator = [
111 } 113 }
112] 114]
113 115
114const abuseListValidator = [ 116const abuseListForAdminsValidator = [
115 query('id') 117 query('id')
116 .optional() 118 .optional()
117 .custom(isIdValid).withMessage('Should have a valid id'), 119 .custom(isIdValid).withMessage('Should have a valid id'),
@@ -146,7 +148,7 @@ const abuseListValidator = [
146 .custom(exists).withMessage('Should have a valid video channel search'), 148 .custom(exists).withMessage('Should have a valid video channel search'),
147 149
148 (req: express.Request, res: express.Response, next: express.NextFunction) => { 150 (req: express.Request, res: express.Response, next: express.NextFunction) => {
149 logger.debug('Checking abuseListValidator parameters', { parameters: req.body }) 151 logger.debug('Checking abuseListForAdminsValidator parameters', { parameters: req.body })
150 152
151 if (areValidationErrors(req, res)) return 153 if (areValidationErrors(req, res)) return
152 154
@@ -154,6 +156,91 @@ const abuseListValidator = [
154 } 156 }
155] 157]
156 158
159const abuseListForUserValidator = [
160 query('id')
161 .optional()
162 .custom(isIdValid).withMessage('Should have a valid id'),
163
164 query('search')
165 .optional()
166 .custom(exists).withMessage('Should have a valid search'),
167
168 query('state')
169 .optional()
170 .custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),
171
172 (req: express.Request, res: express.Response, next: express.NextFunction) => {
173 logger.debug('Checking abuseListForUserValidator parameters', { parameters: req.body })
174
175 if (areValidationErrors(req, res)) return
176
177 return next()
178 }
179]
180
181const getAbuseValidator = [
182 param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),
183
184 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
185 logger.debug('Checking getAbuseValidator parameters', { parameters: req.body })
186
187 if (areValidationErrors(req, res)) return
188 if (!await doesAbuseExist(req.params.id, res)) return
189
190 const user = res.locals.oauth.token.user
191 const abuse = res.locals.abuse
192
193 if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuse.reporterAccountId !== user.Account.id) {
194 const message = `User ${user.username} does not have right to get abuse ${abuse.id}`
195 logger.warn(message)
196
197 return res.status(403).json({ error: message })
198 }
199
200 return next()
201 }
202]
203
204const addAbuseMessageValidator = [
205 body('message').custom(isAbuseMessageValid).not().isEmpty().withMessage('Should have a valid abuse message'),
206
207 (req: express.Request, res: express.Response, next: express.NextFunction) => {
208 logger.debug('Checking addAbuseMessageValidator parameters', { parameters: req.body })
209
210 if (areValidationErrors(req, res)) return
211
212 return next()
213 }
214]
215
216const deleteAbuseMessageValidator = [
217 param('messageId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid message id'),
218
219 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
220 logger.debug('Checking deleteAbuseMessageValidator parameters', { parameters: req.body })
221
222 if (areValidationErrors(req, res)) return
223
224 const user = res.locals.oauth.token.user
225 const abuse = res.locals.abuse
226
227 const messageId = parseInt(req.params.messageId + '', 10)
228 const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id)
229
230 if (!abuseMessage) {
231 return res.status(404).json({ error: 'Abuse message not found' })
232 }
233
234 if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuseMessage.accountId !== user.Account.id) {
235 return res.status(403).json({ error: 'Cannot delete this abuse message' })
236 }
237
238 res.locals.abuseMessage = abuseMessage
239
240 return next()
241 }
242]
243
157// FIXME: deprecated in 2.3. Remove these validators 244// FIXME: deprecated in 2.3. Remove these validators
158 245
159const videoAbuseReportValidator = [ 246const videoAbuseReportValidator = [
@@ -167,7 +254,7 @@ const videoAbuseReportValidator = [
167 .withMessage('Should have a valid reason'), 254 .withMessage('Should have a valid reason'),
168 body('predefinedReasons') 255 body('predefinedReasons')
169 .optional() 256 .optional()
170 .custom(isAbusePredefinedReasonsValid) 257 .custom(areAbusePredefinedReasonsValid)
171 .withMessage('Should have a valid list of predefined reasons'), 258 .withMessage('Should have a valid list of predefined reasons'),
172 body('startAt') 259 body('startAt')
173 .optional() 260 .optional()
@@ -266,10 +353,14 @@ const videoAbuseListValidator = [
266// --------------------------------------------------------------------------- 353// ---------------------------------------------------------------------------
267 354
268export { 355export {
269 abuseListValidator, 356 abuseListForAdminsValidator,
270 abuseReportValidator, 357 abuseReportValidator,
271 abuseGetValidator, 358 abuseGetValidator,
359 addAbuseMessageValidator,
272 abuseUpdateValidator, 360 abuseUpdateValidator,
361 deleteAbuseMessageValidator,
362 abuseListForUserValidator,
363 getAbuseValidator,
273 videoAbuseReportValidator, 364 videoAbuseReportValidator,
274 videoAbuseGetValidator, 365 videoAbuseGetValidator,
275 videoAbuseUpdateValidator, 366 videoAbuseUpdateValidator,