Fix channel sync right check
This commit is contained in:
Chocobozzz
parent
8b69f9f028
commit
d4d9bbc6f2
|
|
@ -3,6 +3,7 @@ import { pickCommonVideoQuery } from '@server/helpers/query'
|
||||||
import { ActorFollowModel } from '@server/models/actor/actor-follow'
|
import { ActorFollowModel } from '@server/models/actor/actor-follow'
|
||||||
import { getServerActor } from '@server/models/application/application'
|
import { getServerActor } from '@server/models/application/application'
|
||||||
import { guessAdditionalAttributesFromQuery } from '@server/models/video/formatter/video-format-utils'
|
import { guessAdditionalAttributesFromQuery } from '@server/models/video/formatter/video-format-utils'
|
||||||
|
import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync'
|
||||||
import { buildNSFWFilter, getCountVideos, isUserAbleToSearchRemoteURI } from '../../helpers/express-utils'
|
import { buildNSFWFilter, getCountVideos, isUserAbleToSearchRemoteURI } from '../../helpers/express-utils'
|
||||||
import { getFormattedObjects } from '../../helpers/utils'
|
import { getFormattedObjects } from '../../helpers/utils'
|
||||||
import { JobQueue } from '../../lib/job-queue'
|
import { JobQueue } from '../../lib/job-queue'
|
||||||
|
|
@ -25,7 +26,7 @@ import {
|
||||||
accountsFollowersSortValidator,
|
accountsFollowersSortValidator,
|
||||||
accountsSortValidator,
|
accountsSortValidator,
|
||||||
ensureAuthUserOwnsAccountValidator,
|
ensureAuthUserOwnsAccountValidator,
|
||||||
ensureCanManageUser,
|
ensureCanManageChannelOrAccount,
|
||||||
videoChannelsSortValidator,
|
videoChannelsSortValidator,
|
||||||
videoChannelStatsValidator,
|
videoChannelStatsValidator,
|
||||||
videoChannelSyncsSortValidator,
|
videoChannelSyncsSortValidator,
|
||||||
|
|
@ -37,7 +38,6 @@ import { AccountVideoRateModel } from '../../models/account/account-video-rate'
|
||||||
import { VideoModel } from '../../models/video/video'
|
import { VideoModel } from '../../models/video/video'
|
||||||
import { VideoChannelModel } from '../../models/video/video-channel'
|
import { VideoChannelModel } from '../../models/video/video-channel'
|
||||||
import { VideoPlaylistModel } from '../../models/video/video-playlist'
|
import { VideoPlaylistModel } from '../../models/video/video-playlist'
|
||||||
import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync'
|
|
||||||
|
|
||||||
const accountsRouter = express.Router()
|
const accountsRouter = express.Router()
|
||||||
|
|
||||||
|
|
@ -78,7 +78,7 @@ accountsRouter.get('/:accountName/video-channels',
|
||||||
accountsRouter.get('/:accountName/video-channel-syncs',
|
accountsRouter.get('/:accountName/video-channel-syncs',
|
||||||
authenticate,
|
authenticate,
|
||||||
asyncMiddleware(accountNameWithHostGetValidator),
|
asyncMiddleware(accountNameWithHostGetValidator),
|
||||||
ensureCanManageUser,
|
ensureCanManageChannelOrAccount,
|
||||||
paginationValidator,
|
paginationValidator,
|
||||||
videoChannelSyncsSortValidator,
|
videoChannelSyncsSortValidator,
|
||||||
setDefaultSort,
|
setDefaultSort,
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ import {
|
||||||
usersUpdateValidator
|
usersUpdateValidator
|
||||||
} from '../../../middlewares'
|
} from '../../../middlewares'
|
||||||
import {
|
import {
|
||||||
ensureCanManageUser,
|
ensureCanModerateUser,
|
||||||
usersAskResetPasswordValidator,
|
usersAskResetPasswordValidator,
|
||||||
usersAskSendVerifyEmailValidator,
|
usersAskSendVerifyEmailValidator,
|
||||||
usersBlockingValidator,
|
usersBlockingValidator,
|
||||||
|
|
@ -95,14 +95,14 @@ usersRouter.post('/:id/block',
|
||||||
authenticate,
|
authenticate,
|
||||||
ensureUserHasRight(UserRight.MANAGE_USERS),
|
ensureUserHasRight(UserRight.MANAGE_USERS),
|
||||||
asyncMiddleware(usersBlockingValidator),
|
asyncMiddleware(usersBlockingValidator),
|
||||||
ensureCanManageUser,
|
ensureCanModerateUser,
|
||||||
asyncMiddleware(blockUser)
|
asyncMiddleware(blockUser)
|
||||||
)
|
)
|
||||||
usersRouter.post('/:id/unblock',
|
usersRouter.post('/:id/unblock',
|
||||||
authenticate,
|
authenticate,
|
||||||
ensureUserHasRight(UserRight.MANAGE_USERS),
|
ensureUserHasRight(UserRight.MANAGE_USERS),
|
||||||
asyncMiddleware(usersBlockingValidator),
|
asyncMiddleware(usersBlockingValidator),
|
||||||
ensureCanManageUser,
|
ensureCanModerateUser,
|
||||||
asyncMiddleware(unblockUser)
|
asyncMiddleware(unblockUser)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -132,7 +132,7 @@ usersRouter.put('/:id',
|
||||||
authenticate,
|
authenticate,
|
||||||
ensureUserHasRight(UserRight.MANAGE_USERS),
|
ensureUserHasRight(UserRight.MANAGE_USERS),
|
||||||
asyncMiddleware(usersUpdateValidator),
|
asyncMiddleware(usersUpdateValidator),
|
||||||
ensureCanManageUser,
|
ensureCanModerateUser,
|
||||||
asyncMiddleware(updateUser)
|
asyncMiddleware(updateUser)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -140,7 +140,7 @@ usersRouter.delete('/:id',
|
||||||
authenticate,
|
authenticate,
|
||||||
ensureUserHasRight(UserRight.MANAGE_USERS),
|
ensureUserHasRight(UserRight.MANAGE_USERS),
|
||||||
asyncMiddleware(usersRemoveValidator),
|
asyncMiddleware(usersRemoveValidator),
|
||||||
ensureCanManageUser,
|
ensureCanModerateUser,
|
||||||
asyncMiddleware(removeUser)
|
asyncMiddleware(removeUser)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@ import {
|
||||||
asyncMiddleware,
|
asyncMiddleware,
|
||||||
asyncRetryTransactionMiddleware,
|
asyncRetryTransactionMiddleware,
|
||||||
authenticate,
|
authenticate,
|
||||||
ensureCanManageChannel as ensureCanManageSyncedChannel,
|
ensureCanManageChannelOrAccount,
|
||||||
ensureSyncExists,
|
ensureSyncExists,
|
||||||
ensureSyncIsEnabled,
|
ensureSyncIsEnabled,
|
||||||
videoChannelSyncValidator
|
videoChannelSyncValidator
|
||||||
|
|
@ -21,14 +21,14 @@ videoChannelSyncRouter.post('/',
|
||||||
authenticate,
|
authenticate,
|
||||||
ensureSyncIsEnabled,
|
ensureSyncIsEnabled,
|
||||||
asyncMiddleware(videoChannelSyncValidator),
|
asyncMiddleware(videoChannelSyncValidator),
|
||||||
ensureCanManageSyncedChannel,
|
ensureCanManageChannelOrAccount,
|
||||||
asyncRetryTransactionMiddleware(createVideoChannelSync)
|
asyncRetryTransactionMiddleware(createVideoChannelSync)
|
||||||
)
|
)
|
||||||
|
|
||||||
videoChannelSyncRouter.delete('/:id',
|
videoChannelSyncRouter.delete('/:id',
|
||||||
authenticate,
|
authenticate,
|
||||||
asyncMiddleware(ensureSyncExists),
|
asyncMiddleware(ensureSyncExists),
|
||||||
ensureCanManageSyncedChannel,
|
ensureCanManageChannelOrAccount,
|
||||||
asyncRetryTransactionMiddleware(removeVideoChannelSync)
|
asyncRetryTransactionMiddleware(removeVideoChannelSync)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ import {
|
||||||
asyncRetryTransactionMiddleware,
|
asyncRetryTransactionMiddleware,
|
||||||
authenticate,
|
authenticate,
|
||||||
commonVideosFiltersValidator,
|
commonVideosFiltersValidator,
|
||||||
ensureCanManageChannel,
|
ensureCanManageChannelOrAccount,
|
||||||
optionalAuthenticate,
|
optionalAuthenticate,
|
||||||
paginationValidator,
|
paginationValidator,
|
||||||
setDefaultPagination,
|
setDefaultPagination,
|
||||||
|
|
@ -77,7 +77,7 @@ videoChannelRouter.post('/:nameWithHost/avatar/pick',
|
||||||
reqAvatarFile,
|
reqAvatarFile,
|
||||||
asyncMiddleware(videoChannelsNameWithHostValidator),
|
asyncMiddleware(videoChannelsNameWithHostValidator),
|
||||||
ensureIsLocalChannel,
|
ensureIsLocalChannel,
|
||||||
ensureCanManageChannel,
|
ensureCanManageChannelOrAccount,
|
||||||
updateAvatarValidator,
|
updateAvatarValidator,
|
||||||
asyncMiddleware(updateVideoChannelAvatar)
|
asyncMiddleware(updateVideoChannelAvatar)
|
||||||
)
|
)
|
||||||
|
|
@ -87,7 +87,7 @@ videoChannelRouter.post('/:nameWithHost/banner/pick',
|
||||||
reqBannerFile,
|
reqBannerFile,
|
||||||
asyncMiddleware(videoChannelsNameWithHostValidator),
|
asyncMiddleware(videoChannelsNameWithHostValidator),
|
||||||
ensureIsLocalChannel,
|
ensureIsLocalChannel,
|
||||||
ensureCanManageChannel,
|
ensureCanManageChannelOrAccount,
|
||||||
updateBannerValidator,
|
updateBannerValidator,
|
||||||
asyncMiddleware(updateVideoChannelBanner)
|
asyncMiddleware(updateVideoChannelBanner)
|
||||||
)
|
)
|
||||||
|
|
@ -96,7 +96,7 @@ videoChannelRouter.delete('/:nameWithHost/avatar',
|
||||||
authenticate,
|
authenticate,
|
||||||
asyncMiddleware(videoChannelsNameWithHostValidator),
|
asyncMiddleware(videoChannelsNameWithHostValidator),
|
||||||
ensureIsLocalChannel,
|
ensureIsLocalChannel,
|
||||||
ensureCanManageChannel,
|
ensureCanManageChannelOrAccount,
|
||||||
asyncMiddleware(deleteVideoChannelAvatar)
|
asyncMiddleware(deleteVideoChannelAvatar)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -104,7 +104,7 @@ videoChannelRouter.delete('/:nameWithHost/banner',
|
||||||
authenticate,
|
authenticate,
|
||||||
asyncMiddleware(videoChannelsNameWithHostValidator),
|
asyncMiddleware(videoChannelsNameWithHostValidator),
|
||||||
ensureIsLocalChannel,
|
ensureIsLocalChannel,
|
||||||
ensureCanManageChannel,
|
ensureCanManageChannelOrAccount,
|
||||||
asyncMiddleware(deleteVideoChannelBanner)
|
asyncMiddleware(deleteVideoChannelBanner)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -112,7 +112,7 @@ videoChannelRouter.put('/:nameWithHost',
|
||||||
authenticate,
|
authenticate,
|
||||||
asyncMiddleware(videoChannelsNameWithHostValidator),
|
asyncMiddleware(videoChannelsNameWithHostValidator),
|
||||||
ensureIsLocalChannel,
|
ensureIsLocalChannel,
|
||||||
ensureCanManageChannel,
|
ensureCanManageChannelOrAccount,
|
||||||
videoChannelsUpdateValidator,
|
videoChannelsUpdateValidator,
|
||||||
asyncRetryTransactionMiddleware(updateVideoChannel)
|
asyncRetryTransactionMiddleware(updateVideoChannel)
|
||||||
)
|
)
|
||||||
|
|
@ -121,7 +121,7 @@ videoChannelRouter.delete('/:nameWithHost',
|
||||||
authenticate,
|
authenticate,
|
||||||
asyncMiddleware(videoChannelsNameWithHostValidator),
|
asyncMiddleware(videoChannelsNameWithHostValidator),
|
||||||
ensureIsLocalChannel,
|
ensureIsLocalChannel,
|
||||||
ensureCanManageChannel,
|
ensureCanManageChannelOrAccount,
|
||||||
asyncMiddleware(videoChannelsRemoveValidator),
|
asyncMiddleware(videoChannelsRemoveValidator),
|
||||||
asyncRetryTransactionMiddleware(removeVideoChannel)
|
asyncRetryTransactionMiddleware(removeVideoChannel)
|
||||||
)
|
)
|
||||||
|
|
@ -155,7 +155,7 @@ videoChannelRouter.get('/:nameWithHost/videos',
|
||||||
videoChannelRouter.get('/:nameWithHost/followers',
|
videoChannelRouter.get('/:nameWithHost/followers',
|
||||||
authenticate,
|
authenticate,
|
||||||
asyncMiddleware(videoChannelsNameWithHostValidator),
|
asyncMiddleware(videoChannelsNameWithHostValidator),
|
||||||
ensureCanManageChannel,
|
ensureCanManageChannelOrAccount,
|
||||||
paginationValidator,
|
paginationValidator,
|
||||||
videoChannelsFollowersSortValidator,
|
videoChannelsFollowersSortValidator,
|
||||||
setDefaultSort,
|
setDefaultSort,
|
||||||
|
|
@ -168,7 +168,7 @@ videoChannelRouter.post('/:nameWithHost/import-videos',
|
||||||
asyncMiddleware(videoChannelsNameWithHostValidator),
|
asyncMiddleware(videoChannelsNameWithHostValidator),
|
||||||
asyncMiddleware(videoChannelImportVideosValidator),
|
asyncMiddleware(videoChannelImportVideosValidator),
|
||||||
ensureIsLocalChannel,
|
ensureIsLocalChannel,
|
||||||
ensureCanManageChannel,
|
ensureCanManageChannelOrAccount,
|
||||||
asyncMiddleware(ensureChannelOwnerCanUpload),
|
asyncMiddleware(ensureChannelOwnerCanUpload),
|
||||||
asyncMiddleware(importVideosInChannel)
|
asyncMiddleware(importVideosInChannel)
|
||||||
)
|
)
|
||||||
|
|
|
||||||
|
|
@ -507,13 +507,14 @@ const ensureAuthUserOwnsAccountValidator = [
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
const ensureCanManageChannel = [
|
const ensureCanManageChannelOrAccount = [
|
||||||
(req: express.Request, res: express.Response, next: express.NextFunction) => {
|
(req: express.Request, res: express.Response, next: express.NextFunction) => {
|
||||||
const user = res.locals.oauth.token.user
|
const user = res.locals.oauth.token.user
|
||||||
const isUserOwner = res.locals.videoChannel.Account.userId === user.id
|
const account = res.locals.videoChannel?.Account ?? res.locals.account
|
||||||
|
const isUserOwner = account.userId === user.id
|
||||||
|
|
||||||
if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) {
|
if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) {
|
||||||
const message = `User ${user.username} does not have right to manage channel ${req.params.nameWithHost}.`
|
const message = `User ${user.username} does not have right this channel or account.`
|
||||||
|
|
||||||
return res.fail({
|
return res.fail({
|
||||||
status: HttpStatusCode.FORBIDDEN_403,
|
status: HttpStatusCode.FORBIDDEN_403,
|
||||||
|
|
@ -525,7 +526,7 @@ const ensureCanManageChannel = [
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
const ensureCanManageUser = [
|
const ensureCanModerateUser = [
|
||||||
(req: express.Request, res: express.Response, next: express.NextFunction) => {
|
(req: express.Request, res: express.Response, next: express.NextFunction) => {
|
||||||
const authUser = res.locals.oauth.token.User
|
const authUser = res.locals.oauth.token.User
|
||||||
const onUser = res.locals.user
|
const onUser = res.locals.user
|
||||||
|
|
@ -535,7 +536,7 @@ const ensureCanManageUser = [
|
||||||
|
|
||||||
return res.fail({
|
return res.fail({
|
||||||
status: HttpStatusCode.FORBIDDEN_403,
|
status: HttpStatusCode.FORBIDDEN_403,
|
||||||
message: 'A moderator can only manager users.'
|
message: 'A moderator can only manage users.'
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
@ -562,8 +563,8 @@ export {
|
||||||
usersVerifyEmailValidator,
|
usersVerifyEmailValidator,
|
||||||
userAutocompleteValidator,
|
userAutocompleteValidator,
|
||||||
ensureAuthUserOwnsAccountValidator,
|
ensureAuthUserOwnsAccountValidator,
|
||||||
ensureCanManageUser,
|
ensureCanModerateUser,
|
||||||
ensureCanManageChannel
|
ensureCanManageChannelOrAccount
|
||||||
}
|
}
|
||||||
|
|
||||||
// ---------------------------------------------------------------------------
|
// ---------------------------------------------------------------------------
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user