Add ability to update another user video

This commit is contained in:
Chocobozzz 2018-02-22 09:03:45 +01:00
parent 9f4183c9b5
commit 6221f311de
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
6 changed files with 39 additions and 27 deletions

View File

@ -88,6 +88,6 @@ export class VideoDetails extends Video implements VideoDetailsServerModel {
} }
isUpdatableBy (user: AuthUser) { isUpdatableBy (user: AuthUser) {
return user && this.isLocal === true && user.username === this.accountName return user && this.isLocal === true && (this.accountName === user.username || user.hasRight(UserRight.UPDATE_ANY_VIDEO))
} }
} }

View File

@ -53,9 +53,6 @@ export class VideoUpdateComponent extends FormReactive implements OnInit {
this.serverService.videoPrivaciesLoaded this.serverService.videoPrivaciesLoaded
.subscribe(() => this.videoPrivacies = this.serverService.getVideoPrivacies()) .subscribe(() => this.videoPrivacies = this.serverService.getVideoPrivacies())
populateAsyncUserVideoChannels(this.authService, this.userVideoChannels)
.catch(err => console.error('Cannot populate async user video channels.', err))
const uuid: string = this.route.snapshot.params['uuid'] const uuid: string = this.route.snapshot.params['uuid']
this.videoService.getVideo(uuid) this.videoService.getVideo(uuid)
.switchMap(video => { .switchMap(video => {
@ -67,6 +64,13 @@ export class VideoUpdateComponent extends FormReactive implements OnInit {
video => { video => {
this.video = new VideoEdit(video) this.video = new VideoEdit(video)
this.userVideoChannels = [
{
id: video.channel.id,
label: video.channel.displayName
}
]
// We cannot set private a video that was not private // We cannot set private a video that was not private
if (video.privacy !== VideoPrivacy.PRIVATE) { if (video.privacy !== VideoPrivacy.PRIVATE) {
const newVideoPrivacies = [] const newVideoPrivacies = []

View File

@ -130,18 +130,8 @@ const videosUpdateValidator = [
const video = res.locals.video const video = res.locals.video
// We need to make additional checks // Check if the user who did the request is able to update the video
if (video.isOwned() === false) { if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.UPDATE_ANY_VIDEO, res)) return
return res.status(403)
.json({ error: 'Cannot update video of another server' })
.end()
}
if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) {
return res.status(403)
.json({ error: 'Cannot update video of another user' })
.end()
}
if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) { if (video.privacy !== VideoPrivacy.PRIVATE && req.body.privacy === VideoPrivacy.PRIVATE) {
return res.status(409) return res.status(409)
@ -198,7 +188,7 @@ const videosRemoveValidator = [
if (!await isVideoExist(req.params.id, res)) return if (!await isVideoExist(req.params.id, res)) return
// Check if the user who did the request is able to delete the video // Check if the user who did the request is able to delete the video
if (!checkUserCanDeleteVideo(res.locals.oauth.token.User, res.locals.video, res)) return if (!checkUserCanManageVideo(res.locals.oauth.token.User, res.locals.video, UserRight.REMOVE_ANY_VIDEO, res)) return
return next() return next()
} }
@ -282,7 +272,7 @@ export {
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: express.Response) { function checkUserCanManageVideo (user: UserModel, video: VideoModel, right: UserRight, res: express.Response) {
// Retrieve the user who did the request // Retrieve the user who did the request
if (video.isOwned() === false) { if (video.isOwned() === false) {
res.status(403) res.status(403)
@ -295,7 +285,7 @@ function checkUserCanDeleteVideo (user: UserModel, video: VideoModel, res: expre
// The user can delete it if he has the right // The user can delete it if he has the right
// Or if s/he is the video's account // Or if s/he is the video's account
const account = video.VideoChannel.Account const account = video.VideoChannel.Account
if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && account.userId !== user.id) { if (user.hasRight(right) === false && account.userId !== user.id) {
res.status(403) res.status(403)
.json({ error: 'Cannot remove video of another user' }) .json({ error: 'Cannot remove video of another user' })
.end() .end()

View File

@ -16,7 +16,9 @@ const expect = chai.expect
describe('Test videos API validator', function () { describe('Test videos API validator', function () {
const path = '/api/v1/videos/' const path = '/api/v1/videos/'
let server: ServerInfo let server: ServerInfo
let userAccessToken = ''
let channelId: number let channelId: number
let videoId
// --------------------------------------------------------------- // ---------------------------------------------------------------
@ -29,6 +31,11 @@ describe('Test videos API validator', function () {
await setAccessTokensToServers([ server ]) await setAccessTokensToServers([ server ])
const username = 'user1'
const password = 'my super password'
await createUser(server.url, server.accessToken, username, password)
userAccessToken = await userLogin(server, { username, password })
const res = await getMyUserInformation(server.url, server.accessToken) const res = await getMyUserInformation(server.url, server.accessToken)
channelId = res.body.videoChannels[0].id channelId = res.body.videoChannels[0].id
}) })
@ -359,11 +366,10 @@ describe('Test videos API validator', function () {
privacy: VideoPrivacy.PUBLIC, privacy: VideoPrivacy.PUBLIC,
tags: [ 'tag1', 'tag2' ] tags: [ 'tag1', 'tag2' ]
} }
let videoId
before(async function () { before(async function () {
const res = await getVideosList(server.url) const res = await getVideosList(server.url)
videoId = res.body.data[0].id videoId = res.body.data[0].uuid
}) })
it('Should fail with nothing', async function () { it('Should fail with nothing', async function () {
@ -518,7 +524,11 @@ describe('Test videos API validator', function () {
}) })
}) })
it('Should fail with a video of another user') it('Should fail with a video of another user without the appropriate right', async function () {
const fields = baseCorrectParams
await makePutBodyRequest({ url: server.url, path: path + videoId, token: userAccessToken, fields, statusCodeExpected: 403 })
})
it('Should fail with a video of another server') it('Should fail with a video of another server')
@ -549,7 +559,9 @@ describe('Test videos API validator', function () {
await getVideo(server.url, '4da6fde3-88f7-4d16-b119-108df5630b06', 404) await getVideo(server.url, '4da6fde3-88f7-4d16-b119-108df5630b06', 404)
}) })
it('Should succeed with the correct parameters') it('Should succeed with the correct parameters', async function () {
await getVideo(server.url, videoId)
})
}) })
describe('When rating a video', function () { describe('When rating a video', function () {
@ -618,11 +630,15 @@ describe('Test videos API validator', function () {
await removeVideo(server.url, server.accessToken, '4da6fde3-88f7-4d16-b119-108df5630b06', 404) await removeVideo(server.url, server.accessToken, '4da6fde3-88f7-4d16-b119-108df5630b06', 404)
}) })
it('Should fail with a video of another user') it('Should fail with a video of another user without the appropriate right', async function () {
await removeVideo(server.url, userAccessToken, videoId, 403)
})
it('Should fail with a video of another server') it('Should fail with a video of another server')
it('Should succeed with the correct parameters') it('Should succeed with the correct parameters', async function () {
await removeVideo(server.url, server.accessToken, videoId)
})
}) })
after(async function () { after(async function () {

View File

@ -8,5 +8,6 @@ export enum UserRight {
MANAGE_CONFIGURATION, MANAGE_CONFIGURATION,
REMOVE_ANY_VIDEO, REMOVE_ANY_VIDEO,
REMOVE_ANY_VIDEO_CHANNEL, REMOVE_ANY_VIDEO_CHANNEL,
REMOVE_ANY_VIDEO_COMMENT REMOVE_ANY_VIDEO_COMMENT,
UPDATE_ANY_VIDEO
} }

View File

@ -25,7 +25,8 @@ const userRoleRights: { [ id: number ]: UserRight[] } = {
UserRight.MANAGE_VIDEO_ABUSES, UserRight.MANAGE_VIDEO_ABUSES,
UserRight.REMOVE_ANY_VIDEO, UserRight.REMOVE_ANY_VIDEO,
UserRight.REMOVE_ANY_VIDEO_CHANNEL, UserRight.REMOVE_ANY_VIDEO_CHANNEL,
UserRight.REMOVE_ANY_VIDEO_COMMENT UserRight.REMOVE_ANY_VIDEO_COMMENT,
UserRight.UPDATE_ANY_VIDEO
], ],
[UserRole.USER]: [] [UserRole.USER]: []