8 files changed, 107 insertions, 87 deletions
diff --git a/server/controllers/activitypub/client.ts b/server/controllers/activitypub/client.ts
index c4e3cec6b..4e6bd5e25 100644
--- a/server/controllers/activitypub/client.ts
+++ b/server/controllers/activitypub/client.ts
@@ -20,7 +20,8 @@ import {
  asyncMiddleware,
  executeIfActivityPub,
  localAccountValidator,
-  localVideoChannelValidator,
+  videoChannelsNameWithHostValidator,
+  ensureIsLocalChannel,
  videosCustomGetValidator,
  videosShareValidator
 } from '../../middlewares'
@@ -123,24 +124,28 @@ activityPubClientRouter.get('/videos/watch/:videoId/comments/:commentId/activity
 )
 activityPubClientRouter.get(
-  [ '/video-channels/:name', '/video-channels/:name/videos', '/c/:name', '/c/:name/videos' ],
+  [ '/video-channels/:nameWithHost', '/video-channels/:nameWithHost/videos', '/c/:nameWithHost', '/c/:nameWithHost/videos' ],
  executeIfActivityPub,
-  asyncMiddleware(localVideoChannelValidator),
+  asyncMiddleware(videoChannelsNameWithHostValidator),
+  ensureIsLocalChannel,
  videoChannelController
 )
-activityPubClientRouter.get('/video-channels/:name/followers',
+activityPubClientRouter.get('/video-channels/:nameWithHost/followers',
  executeIfActivityPub,
-  asyncMiddleware(localVideoChannelValidator),
+  asyncMiddleware(videoChannelsNameWithHostValidator),
+  ensureIsLocalChannel,
  asyncMiddleware(videoChannelFollowersController)
 )
-activityPubClientRouter.get('/video-channels/:name/following',
+activityPubClientRouter.get('/video-channels/:nameWithHost/following',
  executeIfActivityPub,
-  asyncMiddleware(localVideoChannelValidator),
+  asyncMiddleware(videoChannelsNameWithHostValidator),
+  ensureIsLocalChannel,
  asyncMiddleware(videoChannelFollowingController)
 )
-activityPubClientRouter.get('/video-channels/:name/playlists',
+activityPubClientRouter.get('/video-channels/:nameWithHost/playlists',
  executeIfActivityPub,
-  asyncMiddleware(localVideoChannelValidator),
+  asyncMiddleware(videoChannelsNameWithHostValidator),
+  ensureIsLocalChannel,
  asyncMiddleware(videoChannelPlaylistsController)
 )
diff --git a/server/controllers/activitypub/inbox.ts b/server/controllers/activitypub/inbox.ts
index ece4edff0..5995b8f3a 100644
--- a/server/controllers/activitypub/inbox.ts
+++ b/server/controllers/activitypub/inbox.ts
@@ -4,7 +4,14 @@ import { Activity, ActivityPubCollection, ActivityPubOrderedCollection, RootActi
 import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
 import { isActivityValid } from '../../helpers/custom-validators/activitypub/activity'
 import { logger } from '../../helpers/logger'
-import { asyncMiddleware, checkSignature, localAccountValidator, localVideoChannelValidator, signatureValidator } from '../../middlewares'
+import {
+  asyncMiddleware,
+  checkSignature,
+  ensureIsLocalChannel,
+  localAccountValidator,
+  signatureValidator,
+  videoChannelsNameWithHostValidator
+} from '../../middlewares'
 import { activityPubValidator } from '../../middlewares/validators/activitypub/activity'
 const inboxRouter = express.Router()
@@ -23,10 +30,11 @@ inboxRouter.post('/accounts/:name/inbox',
  asyncMiddleware(activityPubValidator),
  inboxController
 )
-inboxRouter.post('/video-channels/:name/inbox',
+inboxRouter.post('/video-channels/:nameWithHost/inbox',
  signatureValidator,
  asyncMiddleware(checkSignature),
-  asyncMiddleware(localVideoChannelValidator),
+  asyncMiddleware(videoChannelsNameWithHostValidator),
+  ensureIsLocalChannel,
  asyncMiddleware(activityPubValidator),
  inboxController
 )
diff --git a/server/controllers/activitypub/outbox.ts b/server/controllers/activitypub/outbox.ts
index bdf9d138b..cdef8e969 100644
--- a/server/controllers/activitypub/outbox.ts
+++ b/server/controllers/activitypub/outbox.ts
@@ -1,15 +1,15 @@
 import express from 'express'
+import { MActorLight } from '@server/types/models'
 import { Activity } from '../../../shared/models/activitypub/activity'
 import { VideoPrivacy } from '../../../shared/models/videos'
 import { activityPubCollectionPagination, activityPubContextify } from '../../helpers/activitypub'
 import { logger } from '../../helpers/logger'
-import { buildAnnounceActivity, buildCreateActivity } from '../../lib/activitypub/send'
 import { buildAudience } from '../../lib/activitypub/audience'
-import { asyncMiddleware, localAccountValidator, localVideoChannelValidator } from '../../middlewares'
+import { buildAnnounceActivity, buildCreateActivity } from '../../lib/activitypub/send'
+import { asyncMiddleware, ensureIsLocalChannel, localAccountValidator, videoChannelsNameWithHostValidator } from '../../middlewares'
+import { apPaginationValidator } from '../../middlewares/validators/activitypub'
 import { VideoModel } from '../../models/video/video'
 import { activityPubResponse } from './utils'
-import { MActorLight } from '@server/types/models'
-import { apPaginationValidator } from '../../middlewares/validators/activitypub'
 const outboxRouter = express.Router()
@@ -19,9 +19,10 @@ outboxRouter.get('/accounts/:name/outbox',
  asyncMiddleware(outboxController)
 )
-outboxRouter.get('/video-channels/:name/outbox',
+outboxRouter.get('/video-channels/:nameWithHost/outbox',
  apPaginationValidator,
-  localVideoChannelValidator,
+  asyncMiddleware(videoChannelsNameWithHostValidator),
+  ensureIsLocalChannel,
  asyncMiddleware(outboxController)
 )
diff --git a/server/controllers/api/video-channel.ts b/server/controllers/api/video-channel.ts
index d1a1e6473..abb777e08 100644
--- a/server/controllers/api/video-channel.ts
+++ b/server/controllers/api/video-channel.ts
@@ -24,6 +24,7 @@ import {
  asyncRetryTransactionMiddleware,
  authenticate,
  commonVideosFiltersValidator,
+  ensureCanManageChannel,
  optionalAuthenticate,
  paginationValidator,
  setDefaultPagination,
@@ -36,7 +37,7 @@ import {
  videoPlaylistsSortValidator
 } from '../../middlewares'
 import {
-  ensureAuthUserOwnsChannelValidator,
+  ensureIsLocalChannel,
  videoChannelsFollowersSortValidator,
  videoChannelsListValidator,
  videoChannelsNameWithHostValidator,
@@ -74,7 +75,8 @@ videoChannelRouter.post('/:nameWithHost/avatar/pick',
  authenticate,
  reqAvatarFile,
  asyncMiddleware(videoChannelsNameWithHostValidator),
-  ensureAuthUserOwnsChannelValidator,
+  ensureIsLocalChannel,
+  ensureCanManageChannel,
  updateAvatarValidator,
  asyncMiddleware(updateVideoChannelAvatar)
 )
@@ -83,7 +85,8 @@ videoChannelRouter.post('/:nameWithHost/banner/pick',
  authenticate,
  reqBannerFile,
  asyncMiddleware(videoChannelsNameWithHostValidator),
-  ensureAuthUserOwnsChannelValidator,
+  ensureIsLocalChannel,
+  ensureCanManageChannel,
  updateBannerValidator,
  asyncMiddleware(updateVideoChannelBanner)
 )
@@ -91,27 +94,33 @@ videoChannelRouter.post('/:nameWithHost/banner/pick',
 videoChannelRouter.delete('/:nameWithHost/avatar',
  authenticate,
  asyncMiddleware(videoChannelsNameWithHostValidator),
-  ensureAuthUserOwnsChannelValidator,
+  ensureIsLocalChannel,
+  ensureCanManageChannel,
  asyncMiddleware(deleteVideoChannelAvatar)
 )
 videoChannelRouter.delete('/:nameWithHost/banner',
  authenticate,
  asyncMiddleware(videoChannelsNameWithHostValidator),
-  ensureAuthUserOwnsChannelValidator,
+  ensureIsLocalChannel,
+  ensureCanManageChannel,
  asyncMiddleware(deleteVideoChannelBanner)
 )
 videoChannelRouter.put('/:nameWithHost',
  authenticate,
  asyncMiddleware(videoChannelsNameWithHostValidator),
-  ensureAuthUserOwnsChannelValidator,
+  ensureIsLocalChannel,
+  ensureCanManageChannel,
  videoChannelsUpdateValidator,
  asyncRetryTransactionMiddleware(updateVideoChannel)
 )
 videoChannelRouter.delete('/:nameWithHost',
  authenticate,
+  asyncMiddleware(videoChannelsNameWithHostValidator),
+  ensureIsLocalChannel,
+  ensureCanManageChannel,
  asyncMiddleware(videoChannelsRemoveValidator),
  asyncRetryTransactionMiddleware(removeVideoChannel)
 )
@@ -145,7 +154,7 @@ videoChannelRouter.get('/:nameWithHost/videos',
 videoChannelRouter.get('/:nameWithHost/followers',
  authenticate,
  asyncMiddleware(videoChannelsNameWithHostValidator),
-  ensureAuthUserOwnsChannelValidator,
+  ensureCanManageChannel,
  paginationValidator,
  videoChannelsFollowersSortValidator,
  setDefaultSort,
diff --git a/server/middlewares/validators/shared/video-channels.ts b/server/middlewares/validators/shared/video-channels.ts
index 7c0c89267..bed9f5dbe 100644
--- a/server/middlewares/validators/shared/video-channels.ts
+++ b/server/middlewares/validators/shared/video-channels.ts
@@ -3,12 +3,6 @@ import { VideoChannelModel } from '@server/models/video/video-channel'
 import { MChannelBannerAccountDefault } from '@server/types/models'
 import { HttpStatusCode } from '@shared/models'
-async function doesLocalVideoChannelNameExist (name: string, res: express.Response) {
-  const videoChannel = await VideoChannelModel.loadLocalByNameAndPopulateAccount(name)
-  return processVideoChannelExist(videoChannel, res)
-}
 async function doesVideoChannelIdExist (id: number, res: express.Response) {
  const videoChannel = await VideoChannelModel.loadAndPopulateAccount(+id)
@@ -24,7 +18,6 @@ async function doesVideoChannelNameWithHostExist (nameWithDomain: string, res: e
 // ---------------------------------------------------------------------------
 export {
-  doesLocalVideoChannelNameExist,
  doesVideoChannelIdExist,
  doesVideoChannelNameWithHostExist
 }
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 33b31d54b..7a6b2ce57 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -3,7 +3,7 @@ import { body, param, query } from 'express-validator'
 import { omit } from 'lodash'
 import { Hooks } from '@server/lib/plugins/hooks'
 import { MUserDefault } from '@server/types/models'
-import { HttpStatusCode, UserRegister, UserRole } from '@shared/models'
+import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models'
 import { isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc'
 import { isThemeNameValid } from '../../helpers/custom-validators/plugins'
 import {
@@ -490,14 +490,17 @@ const ensureAuthUserOwnsAccountValidator = [
  }
 ]
-const ensureAuthUserOwnsChannelValidator = [
+const ensureCanManageChannel = [
  (req: express.Request, res: express.Response, next: express.NextFunction) => {
-    const user = res.locals.oauth.token.User
+    const user = res.locals.oauth.token.user
+    const isUserOwner = res.locals.videoChannel.Account.userId === user.id
+    if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) {
+      const message = `User ${user.username} does not have right to manage channel ${req.params.nameWithHost}.`
-    if (res.locals.videoChannel.Account.userId !== user.id) {
      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
-        message: 'Only owner of this video channel can access this ressource'
+        message
      })
    }
@@ -542,8 +545,8 @@ export {
  usersVerifyEmailValidator,
  userAutocompleteValidator,
  ensureAuthUserOwnsAccountValidator,
-  ensureAuthUserOwnsChannelValidator,
+  ensureCanManageUser,
-  ensureCanManageUser
+  ensureCanManageChannel
 }
 // ---------------------------------------------------------------------------
diff --git a/server/middlewares/validators/videos/video-channels.ts b/server/middlewares/validators/videos/video-channels.ts
index edce48c7f..3bfdebbb1 100644
--- a/server/middlewares/validators/videos/video-channels.ts
+++ b/server/middlewares/validators/videos/video-channels.ts
@@ -1,7 +1,7 @@
 import express from 'express'
 import { body, param, query } from 'express-validator'
-import { MChannelAccountDefault, MUser } from '@server/types/models'
+import { CONFIG } from '@server/initializers/config'
-import { UserRight } from '../../../../shared'
+import { MChannelAccountDefault } from '@server/types/models'
 import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes'
 import { isBooleanValid, toBooleanOrNull } from '../../../helpers/custom-validators/misc'
 import {
@@ -13,8 +13,7 @@ import {
 import { logger } from '../../../helpers/logger'
 import { ActorModel } from '../../../models/actor/actor'
 import { VideoChannelModel } from '../../../models/video/video-channel'
-import { areValidationErrors, doesLocalVideoChannelNameExist, doesVideoChannelNameWithHostExist } from '../shared'
+import { areValidationErrors, doesVideoChannelNameWithHostExist } from '../shared'
-import { CONFIG } from '@server/initializers/config'
 const videoChannelsAddValidator = [
  body('name').custom(isVideoChannelUsernameValid).withMessage('Should have a valid channel name'),
@@ -71,16 +70,10 @@ const videoChannelsUpdateValidator = [
 ]
 const videoChannelsRemoveValidator = [
-  param('nameWithHost').exists().withMessage('Should have an video channel name with host'),
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking videoChannelsRemove parameters', { parameters: req.params })
-    if (areValidationErrors(req, res)) return
+    if (!await checkVideoChannelIsNotTheLastOne(res.locals.videoChannel, res)) return
-    if (!await doesVideoChannelNameWithHostExist(req.params.nameWithHost, res)) return
-    if (!checkUserCanDeleteVideoChannel(res.locals.oauth.token.User, res.locals.videoChannel, res)) return
-    if (!await checkVideoChannelIsNotTheLastOne(res)) return
    return next()
  }
@@ -100,14 +93,14 @@ const videoChannelsNameWithHostValidator = [
  }
 ]
-const localVideoChannelValidator = [
+const ensureIsLocalChannel = [
-  param('name').custom(isVideoChannelDisplayNameValid).withMessage('Should have a valid video channel name'),
+  (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (res.locals.videoChannel.Actor.isOwned() === false) {
-  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+      return res.fail({
-    logger.debug('Checking localVideoChannelValidator parameters', { parameters: req.params })
+        status: HttpStatusCode.FORBIDDEN_403,
+        message: 'This channel is not owned.'
-    if (areValidationErrors(req, res)) return
+      })
-    if (!await doesLocalVideoChannelNameExist(req.params.name, res)) return
+    }
    return next()
  }
@@ -144,38 +137,15 @@ export {
  videoChannelsUpdateValidator,
  videoChannelsRemoveValidator,
  videoChannelsNameWithHostValidator,
+  ensureIsLocalChannel,
  videoChannelsListValidator,
-  localVideoChannelValidator,
  videoChannelStatsValidator
 }
 // ---------------------------------------------------------------------------
-function checkUserCanDeleteVideoChannel (user: MUser, videoChannel: MChannelAccountDefault, res: express.Response) {
+async function checkVideoChannelIsNotTheLastOne (videoChannel: MChannelAccountDefault, res: express.Response) {
-  if (videoChannel.Actor.isOwned() === false) {
+  const count = await VideoChannelModel.countByAccount(videoChannel.Account.id)
-    res.fail({
-      status: HttpStatusCode.FORBIDDEN_403,
-      message: 'Cannot remove video channel of another server.'
-    })
-    return false
-  }
-  // Check if the user can delete the video channel
-  // The user can delete it if s/he is an admin
-  // Or if s/he is the video channel's account
-  if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_CHANNEL) === false && videoChannel.Account.userId !== user.id) {
-    res.fail({
-      status: HttpStatusCode.FORBIDDEN_403,
-      message: 'Cannot remove video channel of another user'
-    })
-    return false
-  }
-  return true
-}
-async function checkVideoChannelIsNotTheLastOne (res: express.Response) {
-  const count = await VideoChannelModel.countByAccount(res.locals.oauth.token.User.Account.id)
  if (count <= 1) {
    res.fail({
diff --git a/server/tests/api/videos/video-channels.ts b/server/tests/api/videos/video-channels.ts
index c25754eb6..6ab5faa07 100644
--- a/server/tests/api/videos/video-channels.ts
+++ b/server/tests/api/videos/video-channels.ts
@@ -33,6 +33,7 @@ describe('Test video channels', function () {
  let totoChannel: number
  let videoUUID: string
  let accountName: string
+  let secondUserChannelName: string
  const avatarPaths: { [ port: number ]: string } = {}
  const bannerPaths: { [ port: number ]: string } = {}
@@ -219,6 +220,35 @@ describe('Test video channels', function () {
    }
  })
+  it('Should update another accounts video channel', async function () {
+    this.timeout(15000)
+    const result = await servers[0].users.generate('second_user')
+    secondUserChannelName = result.userChannelName
+    await servers[0].videos.quickUpload({ name: 'video', token: result.token })
+    const videoChannelAttributes = {
+      displayName: 'video channel updated',
+      description: 'video channel description updated',
+      support: 'support updated'
+    }
+    await servers[0].channels.update({ channelName: secondUserChannelName, attributes: videoChannelAttributes })
+    await waitJobs(servers)
+  })
+  it('Should have another accounts video channel updated', async function () {
+    for (const server of servers) {
+      const body = await server.channels.get({ channelName: `${secondUserChannelName}@${servers[0].host}` })
+      expect(body.displayName).to.equal('video channel updated')
+      expect(body.description).to.equal('video channel description updated')
+      expect(body.support).to.equal('support updated')
+    }
+  })
  it('Should update the channel support field and update videos too', async function () {
    this.timeout(35000)
@@ -368,12 +398,13 @@ describe('Test video channels', function () {
  })
  it('Should have video channel deleted', async function () {
-    const body = await servers[0].channels.list({ start: 0, count: 10 })
+    const body = await servers[0].channels.list({ start: 0, count: 10, sort: 'createdAt' })
-    expect(body.total).to.equal(1)
+    expect(body.total).to.equal(2)
    expect(body.data).to.be.an('array')
-    expect(body.data).to.have.lengthOf(1)
+    expect(body.data).to.have.lengthOf(2)
    expect(body.data[0].displayName).to.equal('Main root channel')
+    expect(body.data[1].displayName).to.equal('video channel updated')
  })
  it('Should create the main channel with an uuid if there is a conflict', async function () {