From 6b738c7a31591a83fdcd9c78b6b1f98e543c378b Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Wed, 25 Apr 2018 10:21:38 +0200 Subject: Video channel API routes refractor --- server/middlewares/validators/video-channels.ts | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'server/middlewares') diff --git a/server/middlewares/validators/video-channels.ts b/server/middlewares/validators/video-channels.ts index e3a11a41b..9e6f459cf 100644 --- a/server/middlewares/validators/video-channels.ts +++ b/server/middlewares/validators/video-channels.ts @@ -11,6 +11,7 @@ import { logger } from '../../helpers/logger' import { UserModel } from '../../models/account/user' import { VideoChannelModel } from '../../models/video/video-channel' import { areValidationErrors } from './utils' +import { AccountModel } from '../../models/account/account' const listVideoAccountChannelsValidator = [ param('accountId').custom(isIdOrUUIDValid).withMessage('Should have a valid account id'), @@ -53,6 +54,7 @@ const videoChannelsUpdateValidator = [ if (areValidationErrors(req, res)) return if (!await isAccountIdExist(req.params.accountId, res)) return if (!await isVideoChannelExist(req.params.id, res)) return + if (!checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return // We need to make additional checks if (res.locals.videoChannel.Actor.isOwned() === false) { @@ -82,6 +84,7 @@ const videoChannelsRemoveValidator = [ if (!await isAccountIdExist(req.params.accountId, res)) return if (!await isVideoChannelExist(req.params.id, res)) return + if (!checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return // Check if the user who did the request is able to delete the video if (!checkUserCanDeleteVideoChannel(res.locals.oauth.token.User, res.locals.videoChannel, res)) return if (!await checkVideoChannelIsNotTheLastOne(res)) return @@ -98,10 +101,13 @@ const videoChannelsGetValidator = [ logger.debug('Checking videoChannelsGet parameters', { parameters: req.params }) if (areValidationErrors(req, res)) return + // On some routes, accountId is optional (for example in the ActivityPub route) if (req.params.accountId && !await isAccountIdExist(req.params.accountId, res)) return if (!await isVideoChannelExist(req.params.id, res)) return + if (res.locals.account && !checkAccountOwnsVideoChannel(res.locals.account, res.locals.videoChannel, res)) return + return next() } ] @@ -154,3 +160,15 @@ async function checkVideoChannelIsNotTheLastOne (res: express.Response) { return true } + +function checkAccountOwnsVideoChannel (account: AccountModel, videoChannel: VideoChannelModel, res: express.Response) { + if (videoChannel.Account.id !== account.id) { + res.status(400) + .json({ error: 'This account does not own this video channel' }) + .end() + + return false + } + + return true +} -- cgit v1.2.3