interesting
/
PeerTube
mirror of https://github.com/Chocobozzz/PeerTube.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix channel sync right check

This commit is contained in:
Chocobozzz 2022-09-07 17:18:29 +02:00
parent 8b69f9f028
commit d4d9bbc6f2
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
5 changed files with 28 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
server/controllers/api/accounts.ts
View File

@ -3,6 +3,7 @@ import { pickCommonVideoQuery } from '@server/helpers/query'
import { ActorFollowModel } from '@server/models/actor/actor-follow'
import { getServerActor } from '@server/models/application/application'
import { guessAdditionalAttributesFromQuery } from '@server/models/video/formatter/video-format-utils'
import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync'
import { buildNSFWFilter, getCountVideos, isUserAbleToSearchRemoteURI } from '../../helpers/express-utils'
import { getFormattedObjects } from '../../helpers/utils'
import { JobQueue } from '../../lib/job-queue'
@ -25,7 +26,7 @@ import {
accountsFollowersSortValidator,
accountsSortValidator,
ensureAuthUserOwnsAccountValidator,
ensureCanManageUser,
ensureCanManageChannelOrAccount,
videoChannelsSortValidator,
videoChannelStatsValidator,
videoChannelSyncsSortValidator,
@ -37,7 +38,6 @@ import { AccountVideoRateModel } from '../../models/account/account-video-rate'
import { VideoModel } from '../../models/video/video'
import { VideoChannelModel } from '../../models/video/video-channel'
import { VideoPlaylistModel } from '../../models/video/video-playlist'
import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync'
const accountsRouter = express.Router()
@ -78,7 +78,7 @@ accountsRouter.get('/:accountName/video-channels',
accountsRouter.get('/:accountName/video-channel-syncs',
authenticate,
asyncMiddleware(accountNameWithHostGetValidator),
ensureCanManageUser,
ensureCanManageChannelOrAccount,
paginationValidator,
videoChannelSyncsSortValidator,
setDefaultSort,

10
server/controllers/api/users/index.ts
View File

@ -36,7 +36,7 @@ import {
usersUpdateValidator
} from '../../../middlewares'
import {
ensureCanManageUser,
ensureCanModerateUser,
usersAskResetPasswordValidator,
usersAskSendVerifyEmailValidator,
usersBlockingValidator,
@ -95,14 +95,14 @@ usersRouter.post('/:id/block',
authenticate,
ensureUserHasRight(UserRight.MANAGE_USERS),
asyncMiddleware(usersBlockingValidator),
ensureCanManageUser,
ensureCanModerateUser,
asyncMiddleware(blockUser)
)
usersRouter.post('/:id/unblock',
authenticate,
ensureUserHasRight(UserRight.MANAGE_USERS),
asyncMiddleware(usersBlockingValidator),
ensureCanManageUser,
ensureCanModerateUser,
asyncMiddleware(unblockUser)
)
@ -132,7 +132,7 @@ usersRouter.put('/:id',
authenticate,
ensureUserHasRight(UserRight.MANAGE_USERS),
asyncMiddleware(usersUpdateValidator),
ensureCanManageUser,
ensureCanModerateUser,
asyncMiddleware(updateUser)
)
@ -140,7 +140,7 @@ usersRouter.delete('/:id',
authenticate,
ensureUserHasRight(UserRight.MANAGE_USERS),
asyncMiddleware(usersRemoveValidator),
ensureCanManageUser,
ensureCanModerateUser,
asyncMiddleware(removeUser)
)

6
server/controllers/api/video-channel-sync.ts
View File

@ -5,7 +5,7 @@ import {
asyncMiddleware,
asyncRetryTransactionMiddleware,
authenticate,
ensureCanManageChannel as ensureCanManageSyncedChannel,
ensureCanManageChannelOrAccount,
ensureSyncExists,
ensureSyncIsEnabled,
videoChannelSyncValidator
@ -21,14 +21,14 @@ videoChannelSyncRouter.post('/',
authenticate,
ensureSyncIsEnabled,
asyncMiddleware(videoChannelSyncValidator),
ensureCanManageSyncedChannel,
ensureCanManageChannelOrAccount,
asyncRetryTransactionMiddleware(createVideoChannelSync)
)
videoChannelSyncRouter.delete('/:id',
authenticate,
asyncMiddleware(ensureSyncExists),
ensureCanManageSyncedChannel,
ensureCanManageChannelOrAccount,
asyncRetryTransactionMiddleware(removeVideoChannelSync)
)

18
server/controllers/api/video-channel.ts
View File

@ -23,7 +23,7 @@ import {
asyncRetryTransactionMiddleware,
authenticate,
commonVideosFiltersValidator,
ensureCanManageChannel,
ensureCanManageChannelOrAccount,
optionalAuthenticate,
paginationValidator,
setDefaultPagination,
@ -77,7 +77,7 @@ videoChannelRouter.post('/:nameWithHost/avatar/pick',
reqAvatarFile,
asyncMiddleware(videoChannelsNameWithHostValidator),
ensureIsLocalChannel,
ensureCanManageChannel,
ensureCanManageChannelOrAccount,
updateAvatarValidator,
asyncMiddleware(updateVideoChannelAvatar)
)
@ -87,7 +87,7 @@ videoChannelRouter.post('/:nameWithHost/banner/pick',
reqBannerFile,
asyncMiddleware(videoChannelsNameWithHostValidator),
ensureIsLocalChannel,
ensureCanManageChannel,
ensureCanManageChannelOrAccount,
updateBannerValidator,
asyncMiddleware(updateVideoChannelBanner)
)
@ -96,7 +96,7 @@ videoChannelRouter.delete('/:nameWithHost/avatar',
authenticate,
asyncMiddleware(videoChannelsNameWithHostValidator),
ensureIsLocalChannel,
ensureCanManageChannel,
ensureCanManageChannelOrAccount,
asyncMiddleware(deleteVideoChannelAvatar)
)
@ -104,7 +104,7 @@ videoChannelRouter.delete('/:nameWithHost/banner',
authenticate,
asyncMiddleware(videoChannelsNameWithHostValidator),
ensureIsLocalChannel,
ensureCanManageChannel,
ensureCanManageChannelOrAccount,
asyncMiddleware(deleteVideoChannelBanner)
)
@ -112,7 +112,7 @@ videoChannelRouter.put('/:nameWithHost',
authenticate,
asyncMiddleware(videoChannelsNameWithHostValidator),
ensureIsLocalChannel,
ensureCanManageChannel,
ensureCanManageChannelOrAccount,
videoChannelsUpdateValidator,
asyncRetryTransactionMiddleware(updateVideoChannel)
)
@ -121,7 +121,7 @@ videoChannelRouter.delete('/:nameWithHost',
authenticate,
asyncMiddleware(videoChannelsNameWithHostValidator),
ensureIsLocalChannel,
ensureCanManageChannel,
ensureCanManageChannelOrAccount,
asyncMiddleware(videoChannelsRemoveValidator),
asyncRetryTransactionMiddleware(removeVideoChannel)
)
@ -155,7 +155,7 @@ videoChannelRouter.get('/:nameWithHost/videos',
videoChannelRouter.get('/:nameWithHost/followers',
authenticate,
asyncMiddleware(videoChannelsNameWithHostValidator),
ensureCanManageChannel,
ensureCanManageChannelOrAccount,
paginationValidator,
videoChannelsFollowersSortValidator,
setDefaultSort,
@ -168,7 +168,7 @@ videoChannelRouter.post('/:nameWithHost/import-videos',
asyncMiddleware(videoChannelsNameWithHostValidator),
asyncMiddleware(videoChannelImportVideosValidator),
ensureIsLocalChannel,
ensureCanManageChannel,
ensureCanManageChannelOrAccount,
asyncMiddleware(ensureChannelOwnerCanUpload),
asyncMiddleware(importVideosInChannel)
)

15
server/middlewares/validators/users.ts
View File

@ -507,13 +507,14 @@ const ensureAuthUserOwnsAccountValidator = [
}
]
const ensureCanManageChannel = [
const ensureCanManageChannelOrAccount = [
(req: express.Request, res: express.Response, next: express.NextFunction) => {
const user = res.locals.oauth.token.user
const isUserOwner = res.locals.videoChannel.Account.userId === user.id
const account = res.locals.videoChannel?.Account ?? res.locals.account
const isUserOwner = account.userId === user.id
if (!isUserOwner && user.hasRight(UserRight.MANAGE_ANY_VIDEO_CHANNEL) === false) {
const message = `User ${user.username} does not have right to manage channel ${req.params.nameWithHost}.`
const message = `User ${user.username} does not have right this channel or account.`
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
@ -525,7 +526,7 @@ const ensureCanManageChannel = [
}
]
const ensureCanManageUser = [
const ensureCanModerateUser = [
(req: express.Request, res: express.Response, next: express.NextFunction) => {
const authUser = res.locals.oauth.token.User
const onUser = res.locals.user
@ -535,7 +536,7 @@ const ensureCanManageUser = [
return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'A moderator can only manager users.'
message: 'A moderator can only manage users.'
})
}
]
@ -562,8 +563,8 @@ export {
usersVerifyEmailValidator,
userAutocompleteValidator,
ensureAuthUserOwnsAccountValidator,
ensureCanManageUser,
ensureCanManageChannel
ensureCanModerateUser,
ensureCanManageChannelOrAccount
}
// ---------------------------------------------------------------------------