PeerTube/server/core/middlewares/validators/users.ts

490 lines
14 KiB
TypeScript
Raw Normal View History

2021-08-27 07:32:44 -05:00
import express from 'express'
import { body, param, query } from 'express-validator'
import { forceNumber } from '@peertube/peertube-core-utils'
import { HttpStatusCode, UserRight, UserRole } from '@peertube/peertube-models'
import { exists, isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc.js'
import { isThemeNameValid } from '../../helpers/custom-validators/plugins.js'
2017-09-15 05:17:08 -05:00
import {
2019-04-15 03:49:46 -05:00
isUserAdminFlagsValid,
2019-09-24 03:19:55 -05:00
isUserAutoPlayNextVideoValid,
2018-12-18 10:18:25 -06:00
isUserAutoPlayVideoValid,
isUserBlockedReasonValid,
isUserDescriptionValid,
isUserDisplayNameValid,
Add Podcast RSS feeds (#5487) * Initial test implementation of Podcast RSS This is a pretty simple implementation to add support for The Podcast Namespace in RSS -- instead of affecting the existing RSS implementation, this adds a new UI option. I attempted to retain compatibility with the rest of the RSS feed implementation as much as possible and have created a temporary fork of the "pfeed" library to support this effort. * Update to pfeed-podcast 1.2.2 * Initial test implementation of Podcast RSS This is a pretty simple implementation to add support for The Podcast Namespace in RSS -- instead of affecting the existing RSS implementation, this adds a new UI option. I attempted to retain compatibility with the rest of the RSS feed implementation as much as possible and have created a temporary fork of the "pfeed" library to support this effort. * Update to pfeed-podcast 1.2.2 * Initial test implementation of Podcast RSS This is a pretty simple implementation to add support for The Podcast Namespace in RSS -- instead of affecting the existing RSS implementation, this adds a new UI option. I attempted to retain compatibility with the rest of the RSS feed implementation as much as possible and have created a temporary fork of the "pfeed" library to support this effort. * Update to pfeed-podcast 1.2.2 * Add correct feed image to RSS channel * Prefer HLS videos for podcast RSS Remove video/stream titles, add optional height attribute to podcast RSS * Prefix podcast RSS images with root server URL * Add optional video query support to include captions * Add transcripts & person images to podcast RSS feed * Prefer webseed/webtorrent files over HLS fragmented mp4s * Experimentally adding podcast fields to basic config page * Add validation for new basic config fields * Don't include "content" in podcast feed, use full description for "description" * Initial test implementation of Podcast RSS This is a pretty simple implementation to add support for The Podcast Namespace in RSS -- instead of affecting the existing RSS implementation, this adds a new UI option. I attempted to retain compatibility with the rest of the RSS feed implementation as much as possible and have created a temporary fork of the "pfeed" library to support this effort. * Update to pfeed-podcast 1.2.2 * Add correct feed image to RSS channel * Prefer HLS videos for podcast RSS Remove video/stream titles, add optional height attribute to podcast RSS * Prefix podcast RSS images with root server URL * Add optional video query support to include captions * Add transcripts & person images to podcast RSS feed * Prefer webseed/webtorrent files over HLS fragmented mp4s * Experimentally adding podcast fields to basic config page * Add validation for new basic config fields * Don't include "content" in podcast feed, use full description for "description" * Add medium/socialInteract to podcast RSS feeds. Use HTML for description * Change base production image to bullseye, install prosody in image * Add liveItem and trackers to Podcast RSS feeds Remove height from alternateEnclosure, replaced with title. * Clear Podcast RSS feed cache when live streams start/end * Upgrade to Node 16 * Refactor clearCacheRoute to use ApiCache * Remove unnecessary type hint * Update dockerfile to node 16, install python-is-python2 * Use new file paths for captions/playlists * Fix legacy videos in RSS after migration to object storage * Improve method of identifying non-fragmented mp4s in podcast RSS feeds * Don't include fragmented MP4s in podcast RSS feeds * Add experimental support for podcast:categories on the podcast RSS item * Fix undefined category when no videos exist Allows for empty feeds to exist (important for feeds that might only go live) * Add support for podcast:locked -- user has to opt in to show their email * Use comma for podcast:categories delimiter * Make cache clearing async * Fix merge, temporarily test with pfeed-podcast * Syntax changes * Add EXT_MIMETYPE constants for captions * Update & fix tests, fix enclosure mimetypes, remove admin email * Add test for podacst:socialInteract * Add filters hooks for podcast customTags * Remove showdown, updated to pfeed-podcast 6.1.2 * Add 'action:api.live-video.state.updated' hook * Avoid assigning undefined category to podcast feeds * Remove nvmrc * Remove comment * Remove unused podcast config * Remove more unused podcast config * Fix MChannelAccountDefault type hint missed in merge * Remove extra line * Re-add newline in config * Fix lint errors for isEmailPublic * Fix thumbnails in podcast feeds * Requested changes based on review * Provide podcast rss 2.0 only on video channels * Misc cleanup for a less messy PR * Lint fixes * Remove pfeed-podcast * Add peertube version to new hooks * Don't use query include, remove TODO * Remove film medium hack * Clear podcast rss cache before video/channel update hooks * Clear podcast rss cache before video uploaded/deleted hooks * Refactor podcast feed cache clearing * Set correct person name from video channel * Styling * Fix tests --------- Co-authored-by: Chocobozzz <me@florianbigard.com>
2023-05-22 09:00:05 -05:00
isUserEmailPublicValid,
isUserNoModal,
isUserNSFWPolicyValid,
isUserP2PEnabledValid,
2018-01-30 06:27:07 -06:00
isUserPasswordValid,
isUserPasswordValidOrEmpty,
2018-01-30 06:27:07 -06:00
isUserRoleValid,
2019-07-23 03:40:39 -05:00
isUserUsernameValid,
isUserVideoLanguages,
2018-12-18 10:18:25 -06:00
isUserVideoQuotaDailyValid,
2019-03-19 04:35:15 -05:00
isUserVideoQuotaValid,
isUserVideosHistoryEnabledValid
} from '../../helpers/custom-validators/users.js'
import { isVideoChannelUsernameValid } from '../../helpers/custom-validators/video-channels.js'
import { logger } from '../../helpers/logger.js'
import { isThemeRegistered } from '../../lib/plugins/theme-utils.js'
import { Redis } from '../../lib/redis.js'
import { ActorModel } from '../../models/actor/actor.js'
import {
areValidationErrors,
checkUserEmailExist,
checkUserIdExist,
2023-01-19 02:27:16 -06:00
checkUserNameOrEmailDoNotAlreadyExist,
doesVideoChannelIdExist,
doesVideoExist,
isValidVideoIdParam
} from './shared/index.js'
const usersListValidator = [
query('blocked')
.optional()
2020-11-16 04:55:17 -06:00
.customSanitizer(toBooleanOrNull)
.isBoolean().withMessage('Should be a valid blocked boolean'),
(req: express.Request, res: express.Response, next: express.NextFunction) => {
if (areValidationErrors(req, res)) return
return next()
}
]
2017-09-15 05:17:08 -05:00
const usersAddValidator = [
body('username')
.custom(isUserUsernameValid)
.withMessage('Should have a valid username (lowercase alphanumeric characters)'),
body('password')
.custom(isUserPasswordValidOrEmpty),
body('email')
.isEmail(),
body('channelName')
.optional()
.custom(isVideoChannelUsernameValid),
body('videoQuota')
.optional()
.custom(isUserVideoQuotaValid),
body('videoQuotaDaily')
.optional()
.custom(isUserVideoQuotaDailyValid),
2019-08-22 03:59:14 -05:00
body('role')
.customSanitizer(toIntOrNull)
.custom(isUserRoleValid),
body('adminFlags')
.optional()
.custom(isUserAdminFlagsValid),
2017-11-27 10:30:46 -06:00
async (req: express.Request, res: express.Response, next: express.NextFunction) => {
2022-08-17 07:58:40 -05:00
if (areValidationErrors(req, res, { omitBodyLog: true })) return
2023-01-19 02:27:16 -06:00
if (!await checkUserNameOrEmailDoNotAlreadyExist(req.body.username, req.body.email, res)) return
2017-11-27 10:30:46 -06:00
2019-07-30 02:59:19 -05:00
const authUser = res.locals.oauth.token.User
if (authUser.role !== UserRole.ADMINISTRATOR && req.body.role !== UserRole.USER) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'You can only create users (and not administrators or moderators)'
})
2019-07-30 02:59:19 -05:00
}
if (req.body.channelName) {
if (req.body.channelName === req.body.username) {
return res.fail({ message: 'Channel name cannot be the same as user username.' })
}
const existing = await ActorModel.loadLocalByName(req.body.channelName)
if (existing) {
return res.fail({
status: HttpStatusCode.CONFLICT_409,
message: `Channel with name ${req.body.channelName} already exists.`
})
}
}
2017-11-27 10:30:46 -06:00
return next()
2017-09-15 05:17:08 -05:00
}
]
2017-09-15 05:17:08 -05:00
const usersRemoveValidator = [
param('id')
.custom(isIdValid),
2017-11-27 10:30:46 -06:00
async (req: express.Request, res: express.Response, next: express.NextFunction) => {
if (areValidationErrors(req, res)) return
if (!await checkUserIdExist(req.params.id, res)) return
const user = res.locals.user
if (user.username === 'root') {
return res.fail({ message: 'Cannot remove the root user' })
2017-11-27 10:30:46 -06:00
}
return next()
2017-09-15 05:17:08 -05:00
}
]
2017-09-05 14:29:39 -05:00
2018-08-08 07:58:21 -05:00
const usersBlockingValidator = [
param('id')
.custom(isIdValid),
body('reason')
.optional()
.custom(isUserBlockedReasonValid),
2018-08-08 07:58:21 -05:00
async (req: express.Request, res: express.Response, next: express.NextFunction) => {
if (areValidationErrors(req, res)) return
if (!await checkUserIdExist(req.params.id, res)) return
const user = res.locals.user
if (user.username === 'root') {
return res.fail({ message: 'Cannot block the root user' })
2018-08-08 07:58:21 -05:00
}
return next()
}
]
2018-08-08 03:55:27 -05:00
const deleteMeValidator = [
2020-01-31 09:56:52 -06:00
(req: express.Request, res: express.Response, next: express.NextFunction) => {
2019-03-19 04:35:15 -05:00
const user = res.locals.oauth.token.User
2018-08-08 03:55:27 -05:00
if (user.username === 'root') {
return res.fail({ message: 'You cannot delete your root account.' })
2018-08-08 03:55:27 -05:00
}
return next()
}
]
2017-09-15 05:17:08 -05:00
const usersUpdateValidator = [
param('id').custom(isIdValid),
body('password')
.optional()
.custom(isUserPasswordValid),
body('email')
.optional()
.isEmail(),
body('emailVerified')
.optional()
.isBoolean(),
body('videoQuota')
.optional()
.custom(isUserVideoQuotaValid),
body('videoQuotaDaily')
.optional()
.custom(isUserVideoQuotaDailyValid),
body('pluginAuth')
.optional()
.exists(),
2019-08-22 03:59:14 -05:00
body('role')
.optional()
.customSanitizer(toIntOrNull)
.custom(isUserRoleValid),
body('adminFlags')
.optional()
.custom(isUserAdminFlagsValid),
2017-09-05 14:29:39 -05:00
2017-11-27 10:30:46 -06:00
async (req: express.Request, res: express.Response, next: express.NextFunction) => {
2022-08-17 07:58:40 -05:00
if (areValidationErrors(req, res, { omitBodyLog: true })) return
2017-11-27 10:30:46 -06:00
if (!await checkUserIdExist(req.params.id, res)) return
const user = res.locals.user
if (user.username === 'root' && req.body.role !== undefined && user.role !== req.body.role) {
return res.fail({ message: 'Cannot change root role.' })
}
2017-11-27 10:30:46 -06:00
return next()
2017-09-15 05:17:08 -05:00
}
]
2017-09-15 05:17:08 -05:00
const usersUpdateMeValidator = [
2019-06-11 04:54:33 -05:00
body('displayName')
.optional()
.custom(isUserDisplayNameValid),
2019-06-11 04:54:33 -05:00
body('description')
.optional()
.custom(isUserDescriptionValid),
2019-06-11 04:54:33 -05:00
body('currentPassword')
.optional()
.custom(isUserPasswordValid),
2019-06-11 04:54:33 -05:00
body('password')
.optional()
.custom(isUserPasswordValid),
Add Podcast RSS feeds (#5487) * Initial test implementation of Podcast RSS This is a pretty simple implementation to add support for The Podcast Namespace in RSS -- instead of affecting the existing RSS implementation, this adds a new UI option. I attempted to retain compatibility with the rest of the RSS feed implementation as much as possible and have created a temporary fork of the "pfeed" library to support this effort. * Update to pfeed-podcast 1.2.2 * Initial test implementation of Podcast RSS This is a pretty simple implementation to add support for The Podcast Namespace in RSS -- instead of affecting the existing RSS implementation, this adds a new UI option. I attempted to retain compatibility with the rest of the RSS feed implementation as much as possible and have created a temporary fork of the "pfeed" library to support this effort. * Update to pfeed-podcast 1.2.2 * Initial test implementation of Podcast RSS This is a pretty simple implementation to add support for The Podcast Namespace in RSS -- instead of affecting the existing RSS implementation, this adds a new UI option. I attempted to retain compatibility with the rest of the RSS feed implementation as much as possible and have created a temporary fork of the "pfeed" library to support this effort. * Update to pfeed-podcast 1.2.2 * Add correct feed image to RSS channel * Prefer HLS videos for podcast RSS Remove video/stream titles, add optional height attribute to podcast RSS * Prefix podcast RSS images with root server URL * Add optional video query support to include captions * Add transcripts & person images to podcast RSS feed * Prefer webseed/webtorrent files over HLS fragmented mp4s * Experimentally adding podcast fields to basic config page * Add validation for new basic config fields * Don't include "content" in podcast feed, use full description for "description" * Initial test implementation of Podcast RSS This is a pretty simple implementation to add support for The Podcast Namespace in RSS -- instead of affecting the existing RSS implementation, this adds a new UI option. I attempted to retain compatibility with the rest of the RSS feed implementation as much as possible and have created a temporary fork of the "pfeed" library to support this effort. * Update to pfeed-podcast 1.2.2 * Add correct feed image to RSS channel * Prefer HLS videos for podcast RSS Remove video/stream titles, add optional height attribute to podcast RSS * Prefix podcast RSS images with root server URL * Add optional video query support to include captions * Add transcripts & person images to podcast RSS feed * Prefer webseed/webtorrent files over HLS fragmented mp4s * Experimentally adding podcast fields to basic config page * Add validation for new basic config fields * Don't include "content" in podcast feed, use full description for "description" * Add medium/socialInteract to podcast RSS feeds. Use HTML for description * Change base production image to bullseye, install prosody in image * Add liveItem and trackers to Podcast RSS feeds Remove height from alternateEnclosure, replaced with title. * Clear Podcast RSS feed cache when live streams start/end * Upgrade to Node 16 * Refactor clearCacheRoute to use ApiCache * Remove unnecessary type hint * Update dockerfile to node 16, install python-is-python2 * Use new file paths for captions/playlists * Fix legacy videos in RSS after migration to object storage * Improve method of identifying non-fragmented mp4s in podcast RSS feeds * Don't include fragmented MP4s in podcast RSS feeds * Add experimental support for podcast:categories on the podcast RSS item * Fix undefined category when no videos exist Allows for empty feeds to exist (important for feeds that might only go live) * Add support for podcast:locked -- user has to opt in to show their email * Use comma for podcast:categories delimiter * Make cache clearing async * Fix merge, temporarily test with pfeed-podcast * Syntax changes * Add EXT_MIMETYPE constants for captions * Update & fix tests, fix enclosure mimetypes, remove admin email * Add test for podacst:socialInteract * Add filters hooks for podcast customTags * Remove showdown, updated to pfeed-podcast 6.1.2 * Add 'action:api.live-video.state.updated' hook * Avoid assigning undefined category to podcast feeds * Remove nvmrc * Remove comment * Remove unused podcast config * Remove more unused podcast config * Fix MChannelAccountDefault type hint missed in merge * Remove extra line * Re-add newline in config * Fix lint errors for isEmailPublic * Fix thumbnails in podcast feeds * Requested changes based on review * Provide podcast rss 2.0 only on video channels * Misc cleanup for a less messy PR * Lint fixes * Remove pfeed-podcast * Add peertube version to new hooks * Don't use query include, remove TODO * Remove film medium hack * Clear podcast rss cache before video/channel update hooks * Clear podcast rss cache before video uploaded/deleted hooks * Refactor podcast feed cache clearing * Set correct person name from video channel * Styling * Fix tests --------- Co-authored-by: Chocobozzz <me@florianbigard.com>
2023-05-22 09:00:05 -05:00
body('emailPublic')
.optional()
.custom(isUserEmailPublicValid),
2019-06-11 04:54:33 -05:00
body('email')
.optional()
.isEmail(),
2019-06-11 04:54:33 -05:00
body('nsfwPolicy')
.optional()
.custom(isUserNSFWPolicyValid),
2019-06-11 04:54:33 -05:00
body('autoPlayVideo')
.optional()
.custom(isUserAutoPlayVideoValid),
body('p2pEnabled')
.optional()
.custom(isUserP2PEnabledValid).withMessage('Should have a valid p2p enabled boolean'),
body('videoLanguages')
.optional()
.custom(isUserVideoLanguages),
2018-12-18 10:18:25 -06:00
body('videosHistoryEnabled')
.optional()
.custom(isUserVideosHistoryEnabledValid).withMessage('Should have a valid videos history enabled boolean'),
2019-07-09 04:45:19 -05:00
body('theme')
.optional()
.custom(v => isThemeNameValid(v) && isThemeRegistered(v)),
2019-08-28 07:40:06 -05:00
body('noInstanceConfigWarningModal')
.optional()
.custom(v => isUserNoModal(v)).withMessage('Should have a valid noInstanceConfigWarningModal boolean'),
2019-08-28 07:40:06 -05:00
body('noWelcomeModal')
.optional()
.custom(v => isUserNoModal(v)).withMessage('Should have a valid noWelcomeModal boolean'),
body('noAccountSetupWarningModal')
.optional()
.custom(v => isUserNoModal(v)).withMessage('Should have a valid noAccountSetupWarningModal boolean'),
2019-09-24 03:19:55 -05:00
body('autoPlayNextVideo')
.optional()
.custom(v => isUserAutoPlayNextVideoValid(v)).withMessage('Should have a valid autoPlayNextVideo boolean'),
2018-09-26 09:28:15 -05:00
async (req: express.Request, res: express.Response, next: express.NextFunction) => {
const user = res.locals.oauth.token.User
2019-06-11 07:30:49 -05:00
if (req.body.password || req.body.email) {
if (user.pluginAuth !== null) {
return res.fail({ message: 'You cannot update your email or password that is associated with an external auth system.' })
}
2018-09-26 09:28:15 -05:00
if (!req.body.currentPassword) {
return res.fail({ message: 'currentPassword parameter is missing.' })
2018-09-26 09:28:15 -05:00
}
if (await user.isPasswordMatch(req.body.currentPassword) !== true) {
return res.fail({
status: HttpStatusCode.UNAUTHORIZED_401,
message: 'currentPassword is invalid.'
})
2018-09-26 09:28:15 -05:00
}
}
2022-08-17 07:58:40 -05:00
if (areValidationErrors(req, res, { omitBodyLog: true })) return
2017-11-27 10:30:46 -06:00
return next()
2017-09-15 05:17:08 -05:00
}
]
2017-09-05 14:29:39 -05:00
2017-09-15 05:17:08 -05:00
const usersGetValidator = [
param('id')
.custom(isIdValid),
query('withStats')
.optional()
.isBoolean().withMessage('Should have a valid withStats boolean'),
2017-03-08 14:35:43 -06:00
2017-11-27 10:30:46 -06:00
async (req: express.Request, res: express.Response, next: express.NextFunction) => {
if (areValidationErrors(req, res)) return
if (!await checkUserIdExist(req.params.id, res, req.query.withStats)) return
2017-11-27 10:30:46 -06:00
return next()
2017-09-15 05:17:08 -05:00
}
]
2017-03-08 14:35:43 -06:00
2017-09-15 05:17:08 -05:00
const usersVideoRatingValidator = [
isValidVideoIdParam('videoId'),
2017-11-27 10:30:46 -06:00
async (req: express.Request, res: express.Response, next: express.NextFunction) => {
if (areValidationErrors(req, res)) return
2019-03-19 03:26:50 -05:00
if (!await doesVideoExist(req.params.videoId, res, 'id')) return
2017-11-27 10:30:46 -06:00
return next()
2017-09-15 05:17:08 -05:00
}
]
const usersVideosValidator = [
query('isLive')
.optional()
.customSanitizer(toBooleanOrNull)
.custom(isBooleanValid).withMessage('Should have a valid isLive boolean'),
query('channelId')
.optional()
.customSanitizer(toIntOrNull)
.custom(isIdValid),
async (req: express.Request, res: express.Response, next: express.NextFunction) => {
if (areValidationErrors(req, res)) return
if (req.query.channelId && !await doesVideoChannelIdExist(req.query.channelId, res)) return
return next()
}
]
2018-01-30 06:27:07 -06:00
const usersAskResetPasswordValidator = [
body('email')
.isEmail(),
2018-01-30 06:27:07 -06:00
async (req: express.Request, res: express.Response, next: express.NextFunction) => {
if (areValidationErrors(req, res)) return
2018-01-30 06:27:07 -06:00
const exists = await checkUserEmailExist(req.body.email, res, false)
if (!exists) {
logger.debug('User with email %s does not exist (asking reset password).', req.body.email)
// Do not leak our emails
return res.status(HttpStatusCode.NO_CONTENT_204).end()
2018-01-30 06:27:07 -06:00
}
if (res.locals.user.pluginAuth) {
return res.fail({
status: HttpStatusCode.CONFLICT_409,
message: 'Cannot recover password of a user that uses a plugin authentication.'
})
}
2018-01-30 06:27:07 -06:00
return next()
}
]
const usersResetPasswordValidator = [
param('id')
.custom(isIdValid),
body('verificationString')
.not().isEmpty(),
body('password')
.custom(isUserPasswordValid),
2018-01-30 06:27:07 -06:00
async (req: express.Request, res: express.Response, next: express.NextFunction) => {
if (areValidationErrors(req, res)) return
if (!await checkUserIdExist(req.params.id, res)) return
2019-03-19 04:35:15 -05:00
const user = res.locals.user
const redisVerificationString = await Redis.Instance.getResetPasswordVerificationString(user.id)
2018-01-30 06:27:07 -06:00
if (redisVerificationString !== req.body.verificationString) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'Invalid verification string.'
})
2018-01-30 06:27:07 -06:00
}
return next()
}
]
const usersCheckCurrentPasswordFactory = (targetUserIdGetter: (req: express.Request) => number | string) => {
return [
body('currentPassword').optional().custom(exists),
async (req: express.Request, res: express.Response, next: express.NextFunction) => {
if (areValidationErrors(req, res)) return
const user = res.locals.oauth.token.User
const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR
const targetUserId = forceNumber(targetUserIdGetter(req))
// Admin/moderator action on another user, skip the password check
if (isAdminOrModerator && targetUserId !== user.id) {
return next()
}
if (!req.body.currentPassword) {
return res.fail({
status: HttpStatusCode.BAD_REQUEST_400,
message: 'currentPassword is missing'
})
}
if (await user.isPasswordMatch(req.body.currentPassword) !== true) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'currentPassword is invalid.'
})
}
return next()
}
]
}
Users can change ownership of their video [#510] (#888) * [#510] Create a new route to get the list of user names To be able to transfer ownership to a user, we need to be able to select him from the list of users. Because the list could be too big, we add a autocomplete feature. This commit does the following: * Add a API endpoint to get a list of user names by searching its name * [#510] The user can choose the next owner of the video To be able to transfer ownership to a user, we need the owner to be able to select the user. The server can autocomplete the name of the user to give the ownership. We add a dialog for the user to actually select it. This commit does the following: * Create a modal for the owner to select the next one * Opens this modal with a button into the menu *more* * Make the dependency injection * [#510] When the user choose the next owner, create a request in database For the change of ownership to happen, we need to store the temporary requests. When the user make the request, save it to database. This commit does the following: * Create the model to persist change ownership requests * Add an API to manage ownership operations * Add a route to persist an ownership request * [#510] A user can fetch its ownership requests sent to him To be able to accept or refuse a change of ownership, the user must be able to fetch them. This commit does the following: * Add an API to list ownership for a user * Add the query to database model * [#510] A user can validate an ownership requests sent to him - server The user can accept or refuse any ownership request that was sent to him. This commit focus only on the server part. This commit does the following: * Add an API for the user to accept or refuse a video ownership * Add validators to ensure security access * Add a query to load a specific video change ownership request * [#510] A user can validate an ownership requests sent to him - web The user can accept or refuse any ownership request that was sent to him. This commit focus only on the web part. This commit does the following: * Add a page to list user ownership changes * Add actions to accept or refuse them * When accepting, show a modal requiring the channel to send the video * Correct lint - to squash * [#510] PR reviews - to squash This commit does the following: * Search parameter for user autocompletion is required from middleware directly * [#510] PR reviews - to squash with creation in database commit This commit does the following: * Add the status attribute in model * Set this attribute on instance creation * Use AccountModel method `loadLocalByName` * [#510] PR reviews - to squash with fetch ownership This commit does the following: * Add the scope `FULL` for database queries with includes * Add classic pagination middlewares * [#510] PR reviews - to squash with ownership validation - server This commit does the following: * Add a middleware to validate whether a user can validate an ownership * Change the ownership status instead of deleting the row * [#510] PR reviews - to squash with ownership validation - client This commit does the following: * Correct indentation of html files with two-spaces indentation * Use event emitter instead of function for accept event * Update the sort of ownership change table for a decreasing order by creation date * Add the status in ownership change table * Use classic method syntax * code style - to squash * Add new user right - to squash * Move the change to my-account instead of video-watch - to squash As requested in pull-request, move the action to change ownership into my videos page. The rest of the logic was not really changed. This commit does the following: - Move the modal into my video page - Create the generic component `button` to keep some styles and logic * [#510] Add tests for the new feature To avoid regression, we add tests for all api of ownership change. This commit does the following: - Create an end-to-end test for ownership change - Divide it to one test per request * [#510] Do not send twice the same request to avoid spam We can send several time the same request to change ownership. However, it will spam the user. To avoid this, we do not save a request already existing in database. This commit does the following: - Check whether the request exist in database - Add tests to verify this new condition * [#510] Change icons Change icons so they remains logic with the rest of the application. This commit does the following: - Add svg for missing icons - Add icons in `my-button` component - Use these new icons * [#510] Add control about the user quota The user should be able to accept a new video only if his quota allows it. This commit does the following: - Update the middleware to control the quota - Add tests verifying the control * Correct merge - Use new modal system - Move button to new directory `buttons` * PR reviews - to squash
2018-09-04 01:57:13 -05:00
const userAutocompleteValidator = [
2022-08-17 07:58:40 -05:00
param('search')
.isString()
.not().isEmpty()
Users can change ownership of their video [#510] (#888) * [#510] Create a new route to get the list of user names To be able to transfer ownership to a user, we need to be able to select him from the list of users. Because the list could be too big, we add a autocomplete feature. This commit does the following: * Add a API endpoint to get a list of user names by searching its name * [#510] The user can choose the next owner of the video To be able to transfer ownership to a user, we need the owner to be able to select the user. The server can autocomplete the name of the user to give the ownership. We add a dialog for the user to actually select it. This commit does the following: * Create a modal for the owner to select the next one * Opens this modal with a button into the menu *more* * Make the dependency injection * [#510] When the user choose the next owner, create a request in database For the change of ownership to happen, we need to store the temporary requests. When the user make the request, save it to database. This commit does the following: * Create the model to persist change ownership requests * Add an API to manage ownership operations * Add a route to persist an ownership request * [#510] A user can fetch its ownership requests sent to him To be able to accept or refuse a change of ownership, the user must be able to fetch them. This commit does the following: * Add an API to list ownership for a user * Add the query to database model * [#510] A user can validate an ownership requests sent to him - server The user can accept or refuse any ownership request that was sent to him. This commit focus only on the server part. This commit does the following: * Add an API for the user to accept or refuse a video ownership * Add validators to ensure security access * Add a query to load a specific video change ownership request * [#510] A user can validate an ownership requests sent to him - web The user can accept or refuse any ownership request that was sent to him. This commit focus only on the web part. This commit does the following: * Add a page to list user ownership changes * Add actions to accept or refuse them * When accepting, show a modal requiring the channel to send the video * Correct lint - to squash * [#510] PR reviews - to squash This commit does the following: * Search parameter for user autocompletion is required from middleware directly * [#510] PR reviews - to squash with creation in database commit This commit does the following: * Add the status attribute in model * Set this attribute on instance creation * Use AccountModel method `loadLocalByName` * [#510] PR reviews - to squash with fetch ownership This commit does the following: * Add the scope `FULL` for database queries with includes * Add classic pagination middlewares * [#510] PR reviews - to squash with ownership validation - server This commit does the following: * Add a middleware to validate whether a user can validate an ownership * Change the ownership status instead of deleting the row * [#510] PR reviews - to squash with ownership validation - client This commit does the following: * Correct indentation of html files with two-spaces indentation * Use event emitter instead of function for accept event * Update the sort of ownership change table for a decreasing order by creation date * Add the status in ownership change table * Use classic method syntax * code style - to squash * Add new user right - to squash * Move the change to my-account instead of video-watch - to squash As requested in pull-request, move the action to change ownership into my videos page. The rest of the logic was not really changed. This commit does the following: - Move the modal into my video page - Create the generic component `button` to keep some styles and logic * [#510] Add tests for the new feature To avoid regression, we add tests for all api of ownership change. This commit does the following: - Create an end-to-end test for ownership change - Divide it to one test per request * [#510] Do not send twice the same request to avoid spam We can send several time the same request to change ownership. However, it will spam the user. To avoid this, we do not save a request already existing in database. This commit does the following: - Check whether the request exist in database - Add tests to verify this new condition * [#510] Change icons Change icons so they remains logic with the rest of the application. This commit does the following: - Add svg for missing icons - Add icons in `my-button` component - Use these new icons * [#510] Add control about the user quota The user should be able to accept a new video only if his quota allows it. This commit does the following: - Update the middleware to control the quota - Add tests verifying the control * Correct merge - Use new modal system - Move button to new directory `buttons` * PR reviews - to squash
2018-09-04 01:57:13 -05:00
]
const ensureAuthUserOwnsAccountValidator = [
2020-01-31 09:56:52 -06:00
(req: express.Request, res: express.Response, next: express.NextFunction) => {
const user = res.locals.oauth.token.User
if (res.locals.account.id !== user.Account.id) {
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'Only owner of this account can access this resource.'
2021-10-19 02:44:43 -05:00
})
}
return next()
}
]
2022-09-07 10:18:29 -05:00
const ensureCanManageChannelOrAccount = [
2021-10-19 02:44:43 -05:00
(req: express.Request, res: express.Response, next: express.NextFunction) => {
const user = res.locals.oauth.token.user
2022-09-07 10:18:29 -05:00
const account = res.locals.videoChannel?.Account ?? res.locals.account
const isUserOwner = account.userId === user.id
if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) {
2022-09-07 10:18:29 -05:00
const message = `User ${user.username} does not have right this channel or account.`
2021-10-19 02:44:43 -05:00
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message
})
}
return next()
}
]
2022-09-07 10:18:29 -05:00
const ensureCanModerateUser = [
2019-07-30 02:59:19 -05:00
(req: express.Request, res: express.Response, next: express.NextFunction) => {
const authUser = res.locals.oauth.token.User
const onUser = res.locals.user
if (authUser.role === UserRole.ADMINISTRATOR) return next()
if (authUser.role === UserRole.MODERATOR && onUser.role === UserRole.USER) return next()
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
2022-09-07 10:18:29 -05:00
message: 'A moderator can only manage users.'
})
2019-07-30 02:59:19 -05:00
}
]
// ---------------------------------------------------------------------------
2017-05-15 15:22:03 -05:00
export {
usersListValidator,
2017-05-15 15:22:03 -05:00
usersAddValidator,
2018-08-08 03:55:27 -05:00
deleteMeValidator,
2018-08-08 07:58:21 -05:00
usersBlockingValidator,
2017-05-15 15:22:03 -05:00
usersRemoveValidator,
usersUpdateValidator,
2017-09-05 14:29:39 -05:00
usersUpdateMeValidator,
usersVideoRatingValidator,
usersCheckCurrentPasswordFactory,
2017-12-29 12:10:13 -06:00
usersGetValidator,
usersVideosValidator,
2018-01-30 06:27:07 -06:00
usersAskResetPasswordValidator,
usersResetPasswordValidator,
userAutocompleteValidator,
2019-07-30 02:59:19 -05:00
ensureAuthUserOwnsAccountValidator,
2022-09-07 10:18:29 -05:00
ensureCanModerateUser,
ensureCanManageChannelOrAccount
2017-09-05 14:29:39 -05:00
}