From 954605a804da399317ca62afa2fb9244afa11ebf Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Fri, 27 Oct 2017 16:55:03 +0200 Subject: Support roles with rights and add moderator role --- server/middlewares/admin.ts | 20 -------------------- server/middlewares/index.ts | 2 +- server/middlewares/user-right.ts | 24 ++++++++++++++++++++++++ server/middlewares/validators/users.ts | 5 ++++- server/middlewares/validators/video-channels.ts | 6 ++++-- server/middlewares/validators/videos.ts | 3 ++- 6 files changed, 35 insertions(+), 25 deletions(-) delete mode 100644 server/middlewares/admin.ts create mode 100644 server/middlewares/user-right.ts (limited to 'server/middlewares') diff --git a/server/middlewares/admin.ts b/server/middlewares/admin.ts deleted file mode 100644 index 812397352..000000000 --- a/server/middlewares/admin.ts +++ /dev/null @@ -1,20 +0,0 @@ -import 'express-validator' -import * as express from 'express' - -import { logger } from '../helpers' - -function ensureIsAdmin (req: express.Request, res: express.Response, next: express.NextFunction) { - const user = res.locals.oauth.token.user - if (user.isAdmin() === false) { - logger.info('A non admin user is trying to access to an admin content.') - return res.sendStatus(403) - } - - return next() -} - -// --------------------------------------------------------------------------- - -export { - ensureIsAdmin -} diff --git a/server/middlewares/index.ts b/server/middlewares/index.ts index 0e2c850e1..cec3e0b2a 100644 --- a/server/middlewares/index.ts +++ b/server/middlewares/index.ts @@ -1,5 +1,4 @@ export * from './validators' -export * from './admin' export * from './async' export * from './oauth' export * from './pagination' @@ -7,3 +6,4 @@ export * from './pods' export * from './search' export * from './secure' export * from './sort' +export * from './user-right' diff --git a/server/middlewares/user-right.ts b/server/middlewares/user-right.ts new file mode 100644 index 000000000..bcebe9d7f --- /dev/null +++ b/server/middlewares/user-right.ts @@ -0,0 +1,24 @@ +import 'express-validator' +import * as express from 'express' + +import { UserInstance } from '../models' +import { UserRight } from '../../shared' +import { logger } from '../helpers' + +function ensureUserHasRight (userRight: UserRight) { + return function (req: express.Request, res: express.Response, next: express.NextFunction) { + const user: UserInstance = res.locals.oauth.token.user + if (user.hasRight(userRight) === false) { + logger.info('User %s does not have right %s to access to %s.', user.username, UserRight[userRight], req.path) + return res.sendStatus(403) + } + + return next() + } +} + +// --------------------------------------------------------------------------- + +export { + ensureUserHasRight +} diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index 1a33cfd8c..0b463acc0 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts @@ -13,7 +13,8 @@ import { isUserPasswordValid, isUserVideoQuotaValid, isUserDisplayNSFWValid, - isIdOrUUIDValid + isIdOrUUIDValid, + isUserRoleValid } from '../../helpers' import { UserInstance, VideoInstance } from '../../models' @@ -22,6 +23,7 @@ const usersAddValidator = [ body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'), body('email').isEmail().withMessage('Should have a valid email'), body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'), + body('role').custom(isUserRoleValid).withMessage('Should have a valid role'), (req: express.Request, res: express.Response, next: express.NextFunction) => { logger.debug('Checking usersAdd parameters', { parameters: req.body }) @@ -75,6 +77,7 @@ const usersUpdateValidator = [ param('id').isInt().not().isEmpty().withMessage('Should have a valid id'), body('email').optional().isEmail().withMessage('Should have a valid email attribute'), body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'), + body('role').optional().custom(isUserRoleValid).withMessage('Should have a valid role'), (req: express.Request, res: express.Response, next: express.NextFunction) => { logger.debug('Checking usersUpdate parameters', { parameters: req.body }) diff --git a/server/middlewares/validators/video-channels.ts b/server/middlewares/validators/video-channels.ts index 979fbd34a..7d611728b 100644 --- a/server/middlewares/validators/video-channels.ts +++ b/server/middlewares/validators/video-channels.ts @@ -11,6 +11,8 @@ import { checkVideoChannelExists, checkVideoAuthorExists } from '../../helpers' +import { UserInstance } from '../../models' +import { UserRight } from '../../../shared' const listVideoAuthorChannelsValidator = [ param('authorId').custom(isIdOrUUIDValid).withMessage('Should have a valid author id'), @@ -106,7 +108,7 @@ export { // --------------------------------------------------------------------------- function checkUserCanDeleteVideoChannel (res: express.Response, callback: () => void) { - const user = res.locals.oauth.token.User + const user: UserInstance = res.locals.oauth.token.User // Retrieve the user who did the request if (res.locals.videoChannel.isOwned() === false) { @@ -118,7 +120,7 @@ function checkUserCanDeleteVideoChannel (res: express.Response, callback: () => // Check if the user can delete the video channel // The user can delete it if s/he is an admin // Or if s/he is the video channel's author - if (user.isAdmin() === false && res.locals.videoChannel.Author.userId !== user.id) { + if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_CHANNEL) === false && res.locals.videoChannel.Author.userId !== user.id) { return res.status(403) .json({ error: 'Cannot remove video channel of another user' }) .end() diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index a032d14ce..0c07404c5 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts @@ -22,6 +22,7 @@ import { checkVideoExists, isIdValid } from '../../helpers' +import { UserRight } from '../../../shared' const videosAddValidator = [ body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage( @@ -231,7 +232,7 @@ function checkUserCanDeleteVideo (userId: number, res: express.Response, callbac // Check if the user can delete the video // The user can delete it if s/he is an admin // Or if s/he is the video's author - if (user.isAdmin() === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { + if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { return res.status(403) .json({ error: 'Cannot remove video of another user' }) .end() -- cgit v1.2.3