diff options
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/user-right.ts | 6 | ||||
-rw-r--r-- | server/middlewares/validators/abuse.ts | 105 |
2 files changed, 99 insertions, 12 deletions
diff --git a/server/middlewares/user-right.ts b/server/middlewares/user-right.ts index 4da7b9802..4d836485c 100644 --- a/server/middlewares/user-right.ts +++ b/server/middlewares/user-right.ts | |||
@@ -9,11 +9,7 @@ function ensureUserHasRight (userRight: UserRight) { | |||
9 | const message = `User ${user.username} does not have right ${UserRight[userRight]} to access to ${req.path}.` | 9 | const message = `User ${user.username} does not have right ${UserRight[userRight]} to access to ${req.path}.` |
10 | logger.info(message) | 10 | logger.info(message) |
11 | 11 | ||
12 | return res.status(403) | 12 | return res.status(403).json({ error: message }) |
13 | .json({ | ||
14 | error: message | ||
15 | }) | ||
16 | .end() | ||
17 | } | 13 | } |
18 | 14 | ||
19 | return next() | 15 | return next() |
diff --git a/server/middlewares/validators/abuse.ts b/server/middlewares/validators/abuse.ts index 966d1f7fb..cb0bc658a 100644 --- a/server/middlewares/validators/abuse.ts +++ b/server/middlewares/validators/abuse.ts | |||
@@ -2,8 +2,9 @@ import * as express from 'express' | |||
2 | import { body, param, query } from 'express-validator' | 2 | import { body, param, query } from 'express-validator' |
3 | import { | 3 | import { |
4 | isAbuseFilterValid, | 4 | isAbuseFilterValid, |
5 | isAbuseMessageValid, | ||
5 | isAbuseModerationCommentValid, | 6 | isAbuseModerationCommentValid, |
6 | isAbusePredefinedReasonsValid, | 7 | areAbusePredefinedReasonsValid, |
7 | isAbusePredefinedReasonValid, | 8 | isAbusePredefinedReasonValid, |
8 | isAbuseReasonValid, | 9 | isAbuseReasonValid, |
9 | isAbuseStateValid, | 10 | isAbuseStateValid, |
@@ -15,7 +16,8 @@ import { exists, isIdOrUUIDValid, isIdValid, toIntOrNull } from '@server/helpers | |||
15 | import { doesCommentIdExist } from '@server/helpers/custom-validators/video-comments' | 16 | import { doesCommentIdExist } from '@server/helpers/custom-validators/video-comments' |
16 | import { logger } from '@server/helpers/logger' | 17 | import { logger } from '@server/helpers/logger' |
17 | import { doesAbuseExist, doesAccountIdExist, doesVideoAbuseExist, doesVideoExist } from '@server/helpers/middlewares' | 18 | import { doesAbuseExist, doesAccountIdExist, doesVideoAbuseExist, doesVideoExist } from '@server/helpers/middlewares' |
18 | import { AbuseCreate } from '@shared/models' | 19 | import { AbuseMessageModel } from '@server/models/abuse/abuse-message' |
20 | import { AbuseCreate, UserRight } from '@shared/models' | ||
19 | import { areValidationErrors } from './utils' | 21 | import { areValidationErrors } from './utils' |
20 | 22 | ||
21 | const abuseReportValidator = [ | 23 | const abuseReportValidator = [ |
@@ -53,7 +55,7 @@ const abuseReportValidator = [ | |||
53 | 55 | ||
54 | body('predefinedReasons') | 56 | body('predefinedReasons') |
55 | .optional() | 57 | .optional() |
56 | .custom(isAbusePredefinedReasonsValid) | 58 | .custom(areAbusePredefinedReasonsValid) |
57 | .withMessage('Should have a valid list of predefined reasons'), | 59 | .withMessage('Should have a valid list of predefined reasons'), |
58 | 60 | ||
59 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | 61 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { |
@@ -111,7 +113,7 @@ const abuseUpdateValidator = [ | |||
111 | } | 113 | } |
112 | ] | 114 | ] |
113 | 115 | ||
114 | const abuseListValidator = [ | 116 | const abuseListForAdminsValidator = [ |
115 | query('id') | 117 | query('id') |
116 | .optional() | 118 | .optional() |
117 | .custom(isIdValid).withMessage('Should have a valid id'), | 119 | .custom(isIdValid).withMessage('Should have a valid id'), |
@@ -146,7 +148,7 @@ const abuseListValidator = [ | |||
146 | .custom(exists).withMessage('Should have a valid video channel search'), | 148 | .custom(exists).withMessage('Should have a valid video channel search'), |
147 | 149 | ||
148 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | 150 | (req: express.Request, res: express.Response, next: express.NextFunction) => { |
149 | logger.debug('Checking abuseListValidator parameters', { parameters: req.body }) | 151 | logger.debug('Checking abuseListForAdminsValidator parameters', { parameters: req.body }) |
150 | 152 | ||
151 | if (areValidationErrors(req, res)) return | 153 | if (areValidationErrors(req, res)) return |
152 | 154 | ||
@@ -154,6 +156,91 @@ const abuseListValidator = [ | |||
154 | } | 156 | } |
155 | ] | 157 | ] |
156 | 158 | ||
159 | const abuseListForUserValidator = [ | ||
160 | query('id') | ||
161 | .optional() | ||
162 | .custom(isIdValid).withMessage('Should have a valid id'), | ||
163 | |||
164 | query('search') | ||
165 | .optional() | ||
166 | .custom(exists).withMessage('Should have a valid search'), | ||
167 | |||
168 | query('state') | ||
169 | .optional() | ||
170 | .custom(isAbuseStateValid).withMessage('Should have a valid abuse state'), | ||
171 | |||
172 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | ||
173 | logger.debug('Checking abuseListForUserValidator parameters', { parameters: req.body }) | ||
174 | |||
175 | if (areValidationErrors(req, res)) return | ||
176 | |||
177 | return next() | ||
178 | } | ||
179 | ] | ||
180 | |||
181 | const getAbuseValidator = [ | ||
182 | param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'), | ||
183 | |||
184 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | ||
185 | logger.debug('Checking getAbuseValidator parameters', { parameters: req.body }) | ||
186 | |||
187 | if (areValidationErrors(req, res)) return | ||
188 | if (!await doesAbuseExist(req.params.id, res)) return | ||
189 | |||
190 | const user = res.locals.oauth.token.user | ||
191 | const abuse = res.locals.abuse | ||
192 | |||
193 | if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuse.reporterAccountId !== user.Account.id) { | ||
194 | const message = `User ${user.username} does not have right to get abuse ${abuse.id}` | ||
195 | logger.warn(message) | ||
196 | |||
197 | return res.status(403).json({ error: message }) | ||
198 | } | ||
199 | |||
200 | return next() | ||
201 | } | ||
202 | ] | ||
203 | |||
204 | const addAbuseMessageValidator = [ | ||
205 | body('message').custom(isAbuseMessageValid).not().isEmpty().withMessage('Should have a valid abuse message'), | ||
206 | |||
207 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | ||
208 | logger.debug('Checking addAbuseMessageValidator parameters', { parameters: req.body }) | ||
209 | |||
210 | if (areValidationErrors(req, res)) return | ||
211 | |||
212 | return next() | ||
213 | } | ||
214 | ] | ||
215 | |||
216 | const deleteAbuseMessageValidator = [ | ||
217 | param('messageId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid message id'), | ||
218 | |||
219 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | ||
220 | logger.debug('Checking deleteAbuseMessageValidator parameters', { parameters: req.body }) | ||
221 | |||
222 | if (areValidationErrors(req, res)) return | ||
223 | |||
224 | const user = res.locals.oauth.token.user | ||
225 | const abuse = res.locals.abuse | ||
226 | |||
227 | const messageId = parseInt(req.params.messageId + '', 10) | ||
228 | const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id) | ||
229 | |||
230 | if (!abuseMessage) { | ||
231 | return res.status(404).json({ error: 'Abuse message not found' }) | ||
232 | } | ||
233 | |||
234 | if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuseMessage.accountId !== user.Account.id) { | ||
235 | return res.status(403).json({ error: 'Cannot delete this abuse message' }) | ||
236 | } | ||
237 | |||
238 | res.locals.abuseMessage = abuseMessage | ||
239 | |||
240 | return next() | ||
241 | } | ||
242 | ] | ||
243 | |||
157 | // FIXME: deprecated in 2.3. Remove these validators | 244 | // FIXME: deprecated in 2.3. Remove these validators |
158 | 245 | ||
159 | const videoAbuseReportValidator = [ | 246 | const videoAbuseReportValidator = [ |
@@ -167,7 +254,7 @@ const videoAbuseReportValidator = [ | |||
167 | .withMessage('Should have a valid reason'), | 254 | .withMessage('Should have a valid reason'), |
168 | body('predefinedReasons') | 255 | body('predefinedReasons') |
169 | .optional() | 256 | .optional() |
170 | .custom(isAbusePredefinedReasonsValid) | 257 | .custom(areAbusePredefinedReasonsValid) |
171 | .withMessage('Should have a valid list of predefined reasons'), | 258 | .withMessage('Should have a valid list of predefined reasons'), |
172 | body('startAt') | 259 | body('startAt') |
173 | .optional() | 260 | .optional() |
@@ -266,10 +353,14 @@ const videoAbuseListValidator = [ | |||
266 | // --------------------------------------------------------------------------- | 353 | // --------------------------------------------------------------------------- |
267 | 354 | ||
268 | export { | 355 | export { |
269 | abuseListValidator, | 356 | abuseListForAdminsValidator, |
270 | abuseReportValidator, | 357 | abuseReportValidator, |
271 | abuseGetValidator, | 358 | abuseGetValidator, |
359 | addAbuseMessageValidator, | ||
272 | abuseUpdateValidator, | 360 | abuseUpdateValidator, |
361 | deleteAbuseMessageValidator, | ||
362 | abuseListForUserValidator, | ||
363 | getAbuseValidator, | ||
273 | videoAbuseReportValidator, | 364 | videoAbuseReportValidator, |
274 | videoAbuseGetValidator, | 365 | videoAbuseGetValidator, |
275 | videoAbuseUpdateValidator, | 366 | videoAbuseUpdateValidator, |