From 6221f311de0eb8f2a9e7e4a77b8cb0ecbde6dfcd Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Thu, 22 Feb 2018 09:03:45 +0100
Subject: Add ability to update another user video

---
 server/middlewares/validators/videos.ts | 20 +++++---------------
 1 file changed, 5 insertions(+), 15 deletions(-)

(limited to 'server/middlewares')

diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index e91739f81..1dc8429c8 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -130,18 +130,8 @@ const videosUpdateValidator = [
 
     const video = res.locals.video
 
-    // We need to make additional checks
-    if (video.isOwned() === false) {
-      return res.status(403)
-                .json({ error: 'Cannot update video of another server' })
-                .end()
-    }
-
-    if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
-      return res.status(403)
-                .json({ error: 'Cannot update video of another user' })
-                .end()
-    }
+    // Check if the user who did the request is able to update the video
+    if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.UPDATE_ANY_VIDEO, res)) return
 
     if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) {
       return res.status(409)
@@ -198,7 +188,7 @@ const videosRemoveValidator = [
     if (!await isVideoExist(req.params.id, res)) return
 
     // Check if the user who did the request is able to delete the video
-    if (!checkUserCanDeleteVideo(res.locals.oauth.token.User, res.locals.video, res)) return
+    if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.REMOVE_ANY_VIDEO, res)) return
 
     return next()
   }
@@ -282,7 +272,7 @@ export {
 
 // ---------------------------------------------------------------------------
 
-function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: express.Response) {
+function checkUserCanManageVideo (user: UserModel, video: VideoModel, right: UserRight, res: express.Response) {
   // Retrieve the user who did the request
   if (video.isOwned() === false) {
     res.status(403)
@@ -295,7 +285,7 @@ function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: expre
   // The user can delete it if he has the right
   // Or if s/he is the video's account
   const account = video.VideoChannel.Account
-  if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) {
+  if (user.hasRight(right) === false && account.userId !== user.id) {
     res.status(403)
               .json({ error: 'Cannot remove video of another user' })
               .end()
-- 
cgit v1.2.3