From 4cb6d4578893db310297d7e118ce2fb7ecb952a3 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Thu, 4 Jan 2018 11:19:16 +0100 Subject: Add ability to delete comments --- server/middlewares/validators/video-comments.ts | 35 ++++++++++++++++++++++++- server/middlewares/validators/videos.ts | 2 +- 2 files changed, 35 insertions(+), 2 deletions(-) (limited to 'server/middlewares') diff --git a/server/middlewares/validators/video-comments.ts b/server/middlewares/validators/video-comments.ts index ade0b7b9f..63804da30 100644 --- a/server/middlewares/validators/video-comments.ts +++ b/server/middlewares/validators/video-comments.ts @@ -1,9 +1,11 @@ import * as express from 'express' import { body, param } from 'express-validator/check' +import { UserRight } from '../../../shared' import { isIdOrUUIDValid, isIdValid } from '../../helpers/custom-validators/misc' import { isValidVideoCommentText } from '../../helpers/custom-validators/video-comments' import { isVideoExist } from '../../helpers/custom-validators/videos' import { logger } from '../../helpers/logger' +import { UserModel } from '../../models/account/user' import { VideoModel } from '../../models/video/video' import { VideoCommentModel } from '../../models/video/video-comment' import { areValidationErrors } from './utils' @@ -83,6 +85,24 @@ const videoCommentGetValidator = [ } ] +const removeVideoCommentValidator = [ + param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'), + param('commentId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid commentId'), + + async (req: express.Request, res: express.Response, next: express.NextFunction) => { + logger.debug('Checking removeVideoCommentValidator parameters.', { parameters: req.params }) + + if (areValidationErrors(req, res)) return + if (!await isVideoExist(req.params.videoId, res)) return + if (!await isVideoCommentExist(req.params.commentId, res.locals.video, res)) return + + // Check if the user who did the request is able to delete the video + if (!checkUserCanDeleteVideoComment(res.locals.oauth.token.User, res.locals.videoComment, res)) return + + return next() + } +] + // --------------------------------------------------------------------------- export { @@ -90,7 +110,8 @@ export { listVideoThreadCommentsValidator, addVideoCommentThreadValidator, addVideoCommentReplyValidator, - videoCommentGetValidator + videoCommentGetValidator, + removeVideoCommentValidator } // --------------------------------------------------------------------------- @@ -160,3 +181,15 @@ function isVideoCommentsEnabled (video: VideoModel, res: express.Response) { return true } + +function checkUserCanDeleteVideoComment (user: UserModel, videoComment: VideoCommentModel, res: express.Response) { + const account = videoComment.Account + if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && account.userId !== user.id) { + res.status(403) + .json({ error: 'Cannot remove video comment of another user' }) + .end() + return false + } + + return true +} diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index e8cb2ae03..1acb306c0 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts @@ -253,7 +253,7 @@ function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: expre } // Check if the user can delete the video - // The user can delete it if s/he is an admin + // The user can delete it if he has the right // Or if s/he is the video's account const account = video.VideoChannel.Account if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) { -- cgit v1.2.3