From 6200d8d91710b03a72a27e35cbe6eed1e6cc8c62 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Wed, 16 May 2018 11:33:11 +0200
Subject: Fix video channel update with an admin account

---
 server/controllers/api/videos/index.ts     |  2 +-
 server/helpers/custom-validators/videos.ts | 21 ++++++++++++++++++---
 server/middlewares/validators/videos.ts    |  8 ++++----
 server/tests/api/check-params/videos.ts    |  2 +-
 4 files changed, 24 insertions(+), 9 deletions(-)

(limited to 'server')

diff --git a/server/controllers/api/videos/index.ts b/server/controllers/api/videos/index.ts
index bcf1eaee6..05fd79e67 100644
--- a/server/controllers/api/videos/index.ts
+++ b/server/controllers/api/videos/index.ts
@@ -341,7 +341,7 @@ async function updateVideo (req: express.Request, res: express.Response) {
 
       // Video channel update?
       if (res.locals.videoChannel && videoInstanceUpdated.channelId !== res.locals.videoChannel.id) {
-        await videoInstanceUpdated.$set('VideoChannel', res.locals.videoChannel)
+        await videoInstanceUpdated.$set('VideoChannel', res.locals.videoChannel, { transaction: t })
         videoInstance.VideoChannel = res.locals.videoChannel
 
         if (wasPrivateVideo === false) await changeVideoChannelShare(videoInstanceUpdated, oldVideoChannel, t)
diff --git a/server/helpers/custom-validators/videos.ts b/server/helpers/custom-validators/videos.ts
index 002324fe0..0c268a684 100644
--- a/server/helpers/custom-validators/videos.ts
+++ b/server/helpers/custom-validators/videos.ts
@@ -3,7 +3,7 @@ import 'express-validator'
 import { values } from 'lodash'
 import 'multer'
 import * as validator from 'validator'
-import { VideoRateType } from '../../../shared'
+import { UserRight, VideoRateType } from '../../../shared'
 import {
   CONSTRAINTS_FIELDS,
   VIDEO_CATEGORIES,
@@ -15,6 +15,7 @@ import {
 import { VideoModel } from '../../models/video/video'
 import { exists, isArray, isFileValid } from './misc'
 import { VideoChannelModel } from '../../models/video/video-channel'
+import { UserModel } from '../../models/account/user'
 
 const VIDEOS_CONSTRAINTS_FIELDS = CONSTRAINTS_FIELDS.VIDEOS
 const VIDEO_ABUSES_CONSTRAINTS_FIELDS = CONSTRAINTS_FIELDS.VIDEO_ABUSES
@@ -127,8 +128,22 @@ async function isVideoExist (id: string, res: Response) {
   return true
 }
 
-async function isVideoChannelOfAccountExist (channelId: number, accountId: number, res: Response) {
-  const videoChannel = await VideoChannelModel.loadByIdAndAccount(channelId, accountId)
+async function isVideoChannelOfAccountExist (channelId: number, user: UserModel, res: Response) {
+  if (user.hasRight(UserRight.UPDATE_ANY_VIDEO) === true) {
+    const videoChannel = await VideoChannelModel.loadAndPopulateAccount(channelId)
+    if (!videoChannel) {
+      res.status(400)
+         .json({ error: 'Unknown video video channel on this instance.' })
+         .end()
+
+      return false
+    }
+
+    res.locals.videoChannel = videoChannel
+    return true
+  }
+
+  const videoChannel = await VideoChannelModel.loadByIdAndAccount(channelId, user.Account.id)
   if (!videoChannel) {
     res.status(400)
        .json({ error: 'Unknown video video channel for this account.' })
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts
index dd0246a63..c5c45fe58 100644
--- a/server/middlewares/validators/videos.ts
+++ b/server/middlewares/validators/videos.ts
@@ -90,7 +90,7 @@ const videosAddValidator = [
     const videoFile: Express.Multer.File = req.files['videofile'][0]
     const user = res.locals.oauth.token.User
 
-    if (!await isVideoChannelOfAccountExist(req.body.channelId, user.Account.id, res)) return
+    if (!await isVideoChannelOfAccountExist(req.body.channelId, user, res)) return
 
     const isAble = await user.isAbleToUploadVideo(videoFile)
     if (isAble === false) {
@@ -193,7 +193,7 @@ const videosUpdateValidator = [
         .end()
     }
 
-    if (req.body.channelId && !await isVideoChannelOfAccountExist(req.body.channelId, user.Account.id, res)) return
+    if (req.body.channelId && !await isVideoChannelOfAccountExist(req.body.channelId, user, res)) return
 
     return next()
   }
@@ -332,7 +332,7 @@ function checkUserCanManageVideo (user: UserModel, video: VideoModel, right: Use
   // Retrieve the user who did the request
   if (video.isOwned() === false) {
     res.status(403)
-              .json({ error: 'Cannot remove video of another server, blacklist it' })
+              .json({ error: 'Cannot manage a video of another server.' })
               .end()
     return false
   }
@@ -343,7 +343,7 @@ function checkUserCanManageVideo (user: UserModel, video: VideoModel, right: Use
   const account = video.VideoChannel.Account
   if (user.hasRight(right) === false && account.userId !== user.id) {
     res.status(403)
-              .json({ error: 'Cannot remove video of another user' })
+              .json({ error: 'Cannot manage a video of another user.' })
               .end()
     return false
   }
diff --git a/server/tests/api/check-params/videos.ts b/server/tests/api/check-params/videos.ts
index 33e815806..c81e9752e 100644
--- a/server/tests/api/check-params/videos.ts
+++ b/server/tests/api/check-params/videos.ts
@@ -280,7 +280,7 @@ describe('Test videos API validator', function () {
       const fields = immutableAssign(baseCorrectParams, { channelId: customChannelId })
       const attaches = baseCorrectAttaches
 
-      await makeUploadRequest({ url: server.url, path: path + '/upload', token: server.accessToken, fields, attaches })
+      await makeUploadRequest({ url: server.url, path: path + '/upload', token: userAccessToken, fields, attaches })
     })
 
     it('Should fail with too many tags', async function () {
-- 
cgit v1.2.3