From feb4bdfd9b46e87aadfa7c0d5338cde887d1f58c Mon Sep 17 00:00:00 2001
From: Chocobozzz <florian.bigard@gmail.com>
Date: Sun, 11 Dec 2016 21:50:51 +0100
Subject: First version with PostgreSQL

---
 server/middlewares/validators/users.js  | 13 +++++--------
 server/middlewares/validators/videos.js | 17 +++++++----------
 2 files changed, 12 insertions(+), 18 deletions(-)

(limited to 'server/middlewares/validators')

diff --git a/server/middlewares/validators/users.js b/server/middlewares/validators/users.js
index 02e4f34cb..0629550bc 100644
--- a/server/middlewares/validators/users.js
+++ b/server/middlewares/validators/users.js
@@ -1,12 +1,9 @@
 'use strict'
 
-const mongoose = require('mongoose')
-
 const checkErrors = require('./utils').checkErrors
+const db = require('../../initializers/database')
 const logger = require('../../helpers/logger')
 
-const User = mongoose.model('User')
-
 const validatorsUsers = {
   usersAdd,
   usersRemove,
@@ -20,7 +17,7 @@ function usersAdd (req, res, next) {
   logger.debug('Checking usersAdd parameters', { parameters: req.body })
 
   checkErrors(req, res, function () {
-    User.loadByUsername(req.body.username, function (err, user) {
+    db.User.loadByUsername(req.body.username, function (err, user) {
       if (err) {
         logger.error('Error in usersAdd request validator.', { error: err })
         return res.sendStatus(500)
@@ -34,12 +31,12 @@ function usersAdd (req, res, next) {
 }
 
 function usersRemove (req, res, next) {
-  req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId()
+  req.checkParams('id', 'Should have a valid id').notEmpty().isInt()
 
   logger.debug('Checking usersRemove parameters', { parameters: req.params })
 
   checkErrors(req, res, function () {
-    User.loadById(req.params.id, function (err, user) {
+    db.User.loadById(req.params.id, function (err, user) {
       if (err) {
         logger.error('Error in usersRemove request validator.', { error: err })
         return res.sendStatus(500)
@@ -55,7 +52,7 @@ function usersRemove (req, res, next) {
 }
 
 function usersUpdate (req, res, next) {
-  req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId()
+  req.checkParams('id', 'Should have a valid id').notEmpty().isInt()
   // Add old password verification
   req.checkBody('password', 'Should have a valid password').isUserPasswordValid()
 
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 76e943e77..7e90ca047 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -1,14 +1,11 @@
 'use strict'
 
-const mongoose = require('mongoose')
-
 const checkErrors = require('./utils').checkErrors
 const constants = require('../../initializers/constants')
 const customVideosValidators = require('../../helpers/custom-validators').videos
+const db = require('../../initializers/database')
 const logger = require('../../helpers/logger')
 
-const Video = mongoose.model('Video')
-
 const validatorsVideos = {
   videosAdd,
   videosGet,
@@ -29,7 +26,7 @@ function videosAdd (req, res, next) {
   checkErrors(req, res, function () {
     const videoFile = req.files.videofile[0]
 
-    Video.getDurationFromFile(videoFile.path, function (err, duration) {
+    db.Video.getDurationFromFile(videoFile.path, function (err, duration) {
       if (err) {
         return res.status(400).send('Cannot retrieve metadata of the file.')
       }
@@ -45,12 +42,12 @@ function videosAdd (req, res, next) {
 }
 
 function videosGet (req, res, next) {
-  req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId()
+  req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
 
   logger.debug('Checking videosGet parameters', { parameters: req.params })
 
   checkErrors(req, res, function () {
-    Video.load(req.params.id, function (err, video) {
+    db.Video.load(req.params.id, function (err, video) {
       if (err) {
         logger.error('Error in videosGet request validator.', { error: err })
         return res.sendStatus(500)
@@ -64,12 +61,12 @@ function videosGet (req, res, next) {
 }
 
 function videosRemove (req, res, next) {
-  req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId()
+  req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
 
   logger.debug('Checking videosRemove parameters', { parameters: req.params })
 
   checkErrors(req, res, function () {
-    Video.load(req.params.id, function (err, video) {
+    db.Video.loadAndPopulateAuthor(req.params.id, function (err, video) {
       if (err) {
         logger.error('Error in videosRemove request validator.', { error: err })
         return res.sendStatus(500)
@@ -77,7 +74,7 @@ function videosRemove (req, res, next) {
 
       if (!video) return res.status(404).send('Video not found')
       else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod')
-      else if (video.author !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user')
+      else if (video.Author.name !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user')
 
       next()
     })
-- 
cgit v1.2.3


From 7b1f49de22c40ae121ddb3c399b2540ba56fd414 Mon Sep 17 00:00:00 2001
From: Chocobozzz <florian.bigard@gmail.com>
Date: Thu, 29 Dec 2016 19:07:05 +0100
Subject: Server: add ability to update a video

---
 server/middlewares/validators/videos.js | 41 +++++++++++++++++++++++++--------
 1 file changed, 31 insertions(+), 10 deletions(-)

(limited to 'server/middlewares/validators')

diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 7e90ca047..09a188c76 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -8,6 +8,7 @@ const logger = require('../../helpers/logger')
 
 const validatorsVideos = {
   videosAdd,
+  videosUpdate,
   videosGet,
   videosRemove,
   videosSearch
@@ -41,22 +42,26 @@ function videosAdd (req, res, next) {
   })
 }
 
-function videosGet (req, res, next) {
+function videosUpdate (req, res, next) {
   req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
+  req.checkBody('name', 'Should have a valid name').optional().isVideoNameValid()
+  req.checkBody('description', 'Should have a valid description').optional().isVideoDescriptionValid()
+  req.checkBody('tags', 'Should have correct tags').optional().isVideoTagsValid()
 
-  logger.debug('Checking videosGet parameters', { parameters: req.params })
+  logger.debug('Checking videosUpdate parameters', { parameters: req.body })
 
   checkErrors(req, res, function () {
-    db.Video.load(req.params.id, function (err, video) {
-      if (err) {
-        logger.error('Error in videosGet request validator.', { error: err })
-        return res.sendStatus(500)
-      }
+    checkVideoExists(req.params.id, res, next)
+  })
+}
 
-      if (!video) return res.status(404).send('Video not found')
+function videosGet (req, res, next) {
+  req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
 
-      next()
-    })
+  logger.debug('Checking videosGet parameters', { parameters: req.params })
+
+  checkErrors(req, res, function () {
+    checkVideoExists(req.params.id, res, next)
   })
 }
 
@@ -94,3 +99,19 @@ function videosSearch (req, res, next) {
 // ---------------------------------------------------------------------------
 
 module.exports = validatorsVideos
+
+// ---------------------------------------------------------------------------
+
+function checkVideoExists (id, res, callback) {
+  db.Video.loadAndPopulateAuthorAndPodAndTags(id, function (err, video) {
+    if (err) {
+      logger.error('Error in video request validator.', { error: err })
+      return res.sendStatus(500)
+    }
+
+    if (!video) return res.status(404).send('Video not found')
+
+    res.locals.video = video
+    callback()
+  })
+}
-- 
cgit v1.2.3


From 818f7987eba27c59793e2103168b26129c9404f2 Mon Sep 17 00:00:00 2001
From: Chocobozzz <florian.bigard@gmail.com>
Date: Fri, 30 Dec 2016 11:51:08 +0100
Subject: Server: optimization for videoGet and videoRemove

---
 server/middlewares/validators/videos.js | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

(limited to 'server/middlewares/validators')

diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 09a188c76..1b6dbccf0 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -71,15 +71,16 @@ function videosRemove (req, res, next) {
   logger.debug('Checking videosRemove parameters', { parameters: req.params })
 
   checkErrors(req, res, function () {
-    db.Video.loadAndPopulateAuthor(req.params.id, function (err, video) {
-      if (err) {
-        logger.error('Error in videosRemove request validator.', { error: err })
-        return res.sendStatus(500)
+    checkVideoExists(req.params.id, res, function () {
+      // We need to make additional checks
+
+      if (res.locals.video.isOwned() === false) {
+        return res.status(403).send('Cannot remove video of another pod')
       }
 
-      if (!video) return res.status(404).send('Video not found')
-      else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod')
-      else if (video.Author.name !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user')
+      if (res.locals.video.authorId !== res.locals.oauth.token.User.id) {
+        return res.status(403).send('Cannot remove video of another user')
+      }
 
       next()
     })
-- 
cgit v1.2.3


From 8fd66b75bfbd8fd4945f1944411461b05eb74795 Mon Sep 17 00:00:00 2001
From: Chocobozzz <florian.bigard@gmail.com>
Date: Fri, 30 Dec 2016 12:39:49 +0100
Subject: Server: fix video remoe validation

---
 server/middlewares/validators/videos.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'server/middlewares/validators')

diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 1b6dbccf0..295ed05fa 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -78,7 +78,7 @@ function videosRemove (req, res, next) {
         return res.status(403).send('Cannot remove video of another pod')
       }
 
-      if (res.locals.video.authorId !== res.locals.oauth.token.User.id) {
+      if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
         return res.status(403).send('Cannot remove video of another user')
       }
 
-- 
cgit v1.2.3


From 55fa55a9be566cca2ba95322f2ae23b434aed62a Mon Sep 17 00:00:00 2001
From: Chocobozzz <florian.bigard@gmail.com>
Date: Wed, 4 Jan 2017 20:59:23 +0100
Subject: Server: add video abuse support

---
 server/middlewares/validators/remote.js           | 30 -----------------------
 server/middlewares/validators/remote/index.js     | 13 ++++++++++
 server/middlewares/validators/remote/signature.js | 21 ++++++++++++++++
 server/middlewares/validators/remote/videos.js    | 20 +++++++++++++++
 server/middlewares/validators/sort.js             | 23 +++++++++++------
 server/middlewares/validators/videos.js           | 15 +++++++++++-
 6 files changed, 84 insertions(+), 38 deletions(-)
 delete mode 100644 server/middlewares/validators/remote.js
 create mode 100644 server/middlewares/validators/remote/index.js
 create mode 100644 server/middlewares/validators/remote/signature.js
 create mode 100644 server/middlewares/validators/remote/videos.js

(limited to 'server/middlewares/validators')

diff --git a/server/middlewares/validators/remote.js b/server/middlewares/validators/remote.js
deleted file mode 100644
index 858d193cc..000000000
--- a/server/middlewares/validators/remote.js
+++ /dev/null
@@ -1,30 +0,0 @@
-'use strict'
-
-const checkErrors = require('./utils').checkErrors
-const logger = require('../../helpers/logger')
-
-const validatorsRemote = {
-  remoteVideos,
-  signature
-}
-
-function remoteVideos (req, res, next) {
-  req.checkBody('data').isEachRemoteVideosValid()
-
-  logger.debug('Checking remoteVideos parameters', { parameters: req.body })
-
-  checkErrors(req, res, next)
-}
-
-function signature (req, res, next) {
-  req.checkBody('signature.host', 'Should have a signature host').isURL()
-  req.checkBody('signature.signature', 'Should have a signature').notEmpty()
-
-  logger.debug('Checking signature parameters', { parameters: { signatureHost: req.body.signature.host } })
-
-  checkErrors(req, res, next)
-}
-
-// ---------------------------------------------------------------------------
-
-module.exports = validatorsRemote
diff --git a/server/middlewares/validators/remote/index.js b/server/middlewares/validators/remote/index.js
new file mode 100644
index 000000000..022a2fe50
--- /dev/null
+++ b/server/middlewares/validators/remote/index.js
@@ -0,0 +1,13 @@
+'use strict'
+
+const remoteSignatureValidators = require('./signature')
+const remoteVideosValidators = require('./videos')
+
+const validators = {
+  signature: remoteSignatureValidators,
+  videos: remoteVideosValidators
+}
+
+// ---------------------------------------------------------------------------
+
+module.exports = validators
diff --git a/server/middlewares/validators/remote/signature.js b/server/middlewares/validators/remote/signature.js
new file mode 100644
index 000000000..5880a2c2c
--- /dev/null
+++ b/server/middlewares/validators/remote/signature.js
@@ -0,0 +1,21 @@
+'use strict'
+
+const checkErrors = require('../utils').checkErrors
+const logger = require('../../../helpers/logger')
+
+const validatorsRemoteSignature = {
+  signature
+}
+
+function signature (req, res, next) {
+  req.checkBody('signature.host', 'Should have a signature host').isURL()
+  req.checkBody('signature.signature', 'Should have a signature').notEmpty()
+
+  logger.debug('Checking signature parameters', { parameters: { signatureHost: req.body.signature.host } })
+
+  checkErrors(req, res, next)
+}
+
+// ---------------------------------------------------------------------------
+
+module.exports = validatorsRemoteSignature
diff --git a/server/middlewares/validators/remote/videos.js b/server/middlewares/validators/remote/videos.js
new file mode 100644
index 000000000..cf9925b6c
--- /dev/null
+++ b/server/middlewares/validators/remote/videos.js
@@ -0,0 +1,20 @@
+'use strict'
+
+const checkErrors = require('../utils').checkErrors
+const logger = require('../../../helpers/logger')
+
+const validatorsRemoteVideos = {
+  remoteVideos
+}
+
+function remoteVideos (req, res, next) {
+  req.checkBody('data').isEachRemoteRequestVideosValid()
+
+  logger.debug('Checking remoteVideos parameters', { parameters: req.body })
+
+  checkErrors(req, res, next)
+}
+
+// ---------------------------------------------------------------------------
+
+module.exports = validatorsRemoteVideos
diff --git a/server/middlewares/validators/sort.js b/server/middlewares/validators/sort.js
index 431d3fffd..b7eec0316 100644
--- a/server/middlewares/validators/sort.js
+++ b/server/middlewares/validators/sort.js
@@ -6,29 +6,38 @@ const logger = require('../../helpers/logger')
 
 const validatorsSort = {
   usersSort,
+  videoAbusesSort,
   videosSort
 }
 
 function usersSort (req, res, next) {
   const sortableColumns = constants.SORTABLE_COLUMNS.USERS
 
-  req.checkQuery('sort', 'Should have correct sortable column').optional().isIn(sortableColumns)
+  checkSort(req, res, next, sortableColumns)
+}
 
-  logger.debug('Checking sort parameters', { parameters: req.query })
+function videoAbusesSort (req, res, next) {
+  const sortableColumns = constants.SORTABLE_COLUMNS.VIDEO_ABUSES
 
-  checkErrors(req, res, next)
+  checkSort(req, res, next, sortableColumns)
 }
 
 function videosSort (req, res, next) {
   const sortableColumns = constants.SORTABLE_COLUMNS.VIDEOS
 
+  checkSort(req, res, next, sortableColumns)
+}
+
+// ---------------------------------------------------------------------------
+
+module.exports = validatorsSort
+
+// ---------------------------------------------------------------------------
+
+function checkSort (req, res, next, sortableColumns) {
   req.checkQuery('sort', 'Should have correct sortable column').optional().isIn(sortableColumns)
 
   logger.debug('Checking sort parameters', { parameters: req.query })
 
   checkErrors(req, res, next)
 }
-
-// ---------------------------------------------------------------------------
-
-module.exports = validatorsSort
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 295ed05fa..ff18a99c2 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -11,7 +11,9 @@ const validatorsVideos = {
   videosUpdate,
   videosGet,
   videosRemove,
-  videosSearch
+  videosSearch,
+
+  videoAbuseReport
 }
 
 function videosAdd (req, res, next) {
@@ -97,6 +99,17 @@ function videosSearch (req, res, next) {
   checkErrors(req, res, next)
 }
 
+function videoAbuseReport (req, res, next) {
+  req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
+  req.checkBody('reason', 'Should have a valid reason').isVideoAbuseReasonValid()
+
+  logger.debug('Checking videoAbuseReport parameters', { parameters: req.body })
+
+  checkErrors(req, res, function () {
+    checkVideoExists(req.params.id, res, next)
+  })
+}
+
 // ---------------------------------------------------------------------------
 
 module.exports = validatorsVideos
-- 
cgit v1.2.3


From bdfbd4f162d66c3a6bd7c312a99e0b692e830792 Mon Sep 17 00:00:00 2001
From: Chocobozzz <florian.bigard@gmail.com>
Date: Wed, 4 Jan 2017 22:23:07 +0100
Subject: Server: use crypto instead of ursa for pod signature

---
 server/middlewares/validators/remote/signature.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'server/middlewares/validators')

diff --git a/server/middlewares/validators/remote/signature.js b/server/middlewares/validators/remote/signature.js
index 5880a2c2c..002232c05 100644
--- a/server/middlewares/validators/remote/signature.js
+++ b/server/middlewares/validators/remote/signature.js
@@ -11,7 +11,7 @@ function signature (req, res, next) {
   req.checkBody('signature.host', 'Should have a signature host').isURL()
   req.checkBody('signature.signature', 'Should have a signature').notEmpty()
 
-  logger.debug('Checking signature parameters', { parameters: { signatureHost: req.body.signature.host } })
+  logger.debug('Checking signature parameters', { parameters: { signature: req.body.signature } })
 
   checkErrors(req, res, next)
 }
-- 
cgit v1.2.3


From 45abb8b97b8313f8f58a4a73b527882ad7b4af9c Mon Sep 17 00:00:00 2001
From: Chocobozzz <florian.bigard@gmail.com>
Date: Wed, 11 Jan 2017 18:41:09 +0100
Subject: Server: rights check for update a video

---
 server/middlewares/validators/videos.js | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'server/middlewares/validators')

diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index ff18a99c2..3d7c04b60 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -53,6 +53,14 @@ function videosUpdate (req, res, next) {
   logger.debug('Checking videosUpdate parameters', { parameters: req.body })
 
   checkErrors(req, res, function () {
+    if (res.locals.video.isOwned() === false) {
+      return res.status(403).send('Cannot update video of another pod')
+    }
+
+    if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
+      return res.status(403).send('Cannot update video of another user')
+    }
+
     checkVideoExists(req.params.id, res, next)
   })
 }
-- 
cgit v1.2.3


From 63d00f5ded0aad25eeb50111da65b6daa46bcb24 Mon Sep 17 00:00:00 2001
From: Chocobozzz <florian.bigard@gmail.com>
Date: Wed, 11 Jan 2017 19:15:23 +0100
Subject: Server: fix update right checks

---
 server/middlewares/validators/videos.js | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

(limited to 'server/middlewares/validators')

diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 3d7c04b60..4fe6dcd8b 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -53,15 +53,18 @@ function videosUpdate (req, res, next) {
   logger.debug('Checking videosUpdate parameters', { parameters: req.body })
 
   checkErrors(req, res, function () {
-    if (res.locals.video.isOwned() === false) {
-      return res.status(403).send('Cannot update video of another pod')
-    }
+    checkVideoExists(req.params.id, res, function () {
+      // We need to make additional checks
+      if (res.locals.video.isOwned() === false) {
+        return res.status(403).send('Cannot update video of another pod')
+      }
 
-    if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
-      return res.status(403).send('Cannot update video of another user')
-    }
+      if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
+        return res.status(403).send('Cannot update video of another user')
+      }
 
-    checkVideoExists(req.params.id, res, next)
+      next()
+    })
   })
 }
 
-- 
cgit v1.2.3