PeerTube/server/middlewares/validators/abuse.ts

import express from 'express'
import { body, param, query } from 'express-validator'
import {
  areAbusePredefinedReasonsValid,
  isAbuseFilterValid,
  isAbuseMessageValid,
  isAbuseModerationCommentValid,
  isAbusePredefinedReasonValid,
  isAbuseReasonValid,
  isAbuseStateValid,
  isAbuseTimestampCoherent,
  isAbuseTimestampValid,
  isAbuseVideoIsValid
} from '@server/helpers/custom-validators/abuses'
import { exists, isIdOrUUIDValid, isIdValid, toCompleteUUID, toIntOrNull } from '@server/helpers/custom-validators/misc'
import { logger } from '@server/helpers/logger'
import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
import { AbuseCreate, UserRight } from '@shared/models'
import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared'

const abuseReportValidator = [
  body('account.id')
    .optional()
    .custom(isIdValid)
    .withMessage('Should have a valid accountId'),

  body('video.id')
    .optional()
    .customSanitizer(toCompleteUUID)
    .custom(isIdOrUUIDValid)
    .withMessage('Should have a valid videoId'),
  body('video.startAt')
    .optional()
    .customSanitizer(toIntOrNull)
    .custom(isAbuseTimestampValid)
    .withMessage('Should have valid starting time value'),
  body('video.endAt')
    .optional()
    .customSanitizer(toIntOrNull)
    .custom(isAbuseTimestampValid)
    .withMessage('Should have valid ending time value')
    .bail()
    .custom(isAbuseTimestampCoherent)
    .withMessage('Should have a startAt timestamp beginning before endAt'),

  body('comment.id')
    .optional()
    .custom(isIdValid)
    .withMessage('Should have a valid commentId'),

  body('reason')
    .custom(isAbuseReasonValid)
    .withMessage('Should have a valid reason'),

  body('predefinedReasons')
    .optional()
    .custom(areAbusePredefinedReasonsValid)
    .withMessage('Should have a valid list of predefined reasons'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseReport parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    const body: AbuseCreate = req.body

    if (body.video?.id && !await doesVideoExist(body.video.id, res)) return
    if (body.account?.id && !await doesAccountIdExist(body.account.id, res)) return
    if (body.comment?.id && !await doesCommentIdExist(body.comment.id, res)) return

    if (!body.video?.id && !body.account?.id && !body.comment?.id) {
      res.fail({ message: 'video id or account id or comment id is required.' })
      return
    }

    return next()
  }
]

const abuseGetValidator = [
  param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseGetValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    return next()
  }
]

const abuseUpdateValidator = [
  param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),

  body('state')
    .optional()
    .custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),
  body('moderationComment')
    .optional()
    .custom(isAbuseModerationCommentValid).withMessage('Should have a valid moderation comment'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseUpdateValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    return next()
  }
]

const abuseListForAdminsValidator = [
  query('id')
    .optional()
    .custom(isIdValid).withMessage('Should have a valid id'),
  query('filter')
    .optional()
    .custom(isAbuseFilterValid)
    .withMessage('Should have a valid filter'),
  query('predefinedReason')
    .optional()
    .custom(isAbusePredefinedReasonValid)
    .withMessage('Should have a valid predefinedReason'),
  query('search')
    .optional()
    .custom(exists).withMessage('Should have a valid search'),
  query('state')
    .optional()
    .custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),
  query('videoIs')
    .optional()
    .custom(isAbuseVideoIsValid).withMessage('Should have a valid "video is" attribute'),
  query('searchReporter')
    .optional()
    .custom(exists).withMessage('Should have a valid reporter search'),
  query('searchReportee')
    .optional()
    .custom(exists).withMessage('Should have a valid reportee search'),
  query('searchVideo')
    .optional()
    .custom(exists).withMessage('Should have a valid video search'),
  query('searchVideoChannel')
    .optional()
    .custom(exists).withMessage('Should have a valid video channel search'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseListForAdminsValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const abuseListForUserValidator = [
  query('id')
    .optional()
    .custom(isIdValid).withMessage('Should have a valid id'),

  query('search')
    .optional()
    .custom(exists).withMessage('Should have a valid search'),

  query('state')
    .optional()
    .custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking abuseListForUserValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const getAbuseValidator = [
  param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking getAbuseValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await doesAbuseExist(req.params.id, res)) return

    const user = res.locals.oauth.token.user
    const abuse = res.locals.abuse

    if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuse.reporterAccountId !== user.Account.id) {
      const message = `User ${user.username} does not have right to get abuse ${abuse.id}`
      logger.warn(message)

      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
        message
      })
    }

    return next()
  }
]

const checkAbuseValidForMessagesValidator = [
  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking checkAbuseValidForMessagesValidator parameters', { parameters: req.body })

    const abuse = res.locals.abuse
    if (abuse.ReporterAccount.isOwned() === false) {
      return res.fail({ message: 'This abuse was created by a user of your instance.' })
    }

    return next()
  }
]

const addAbuseMessageValidator = [
  body('message').custom(isAbuseMessageValid).not().isEmpty().withMessage('Should have a valid abuse message'),

  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking addAbuseMessageValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const deleteAbuseMessageValidator = [
  param('messageId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid message id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking deleteAbuseMessageValidator parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    const user = res.locals.oauth.token.user
    const abuse = res.locals.abuse

    const messageId = parseInt(req.params.messageId + '', 10)
    const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id)

    if (!abuseMessage) {
      return res.fail({
        status: HttpStatusCode.NOT_FOUND_404,
        message: 'Abuse message not found'
      })
    }

    if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuseMessage.accountId !== user.Account.id) {
      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
        message: 'Cannot delete this abuse message'
      })
    }

    res.locals.abuseMessage = abuseMessage

    return next()
  }
]

// ---------------------------------------------------------------------------

export {
  abuseListForAdminsValidator,
  abuseReportValidator,
  abuseGetValidator,
  addAbuseMessageValidator,
  checkAbuseValidForMessagesValidator,
  abuseUpdateValidator,
  deleteAbuseMessageValidator,
  abuseListForUserValidator,
  getAbuseValidator
}
esModuleInterop to true 2021-08-27 14:32:44 +02:00			`import express from 'express'`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`import { body, param, query } from 'express-validator'`
			`import {`
Remove deprecated abuse api 2020-11-10 14:41:20 +01:00			`areAbusePredefinedReasonsValid,`
Implement abuses check params 2020-07-07 10:57:04 +02:00			`isAbuseFilterValid,`
Add server API to abuse messages 2020-07-24 15:05:51 +02:00			`isAbuseMessageValid,`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`isAbuseModerationCommentValid,`
			`isAbusePredefinedReasonValid,`
			`isAbuseReasonValid,`
			`isAbuseStateValid,`
			`isAbuseTimestampCoherent,`
			`isAbuseTimestampValid,`
			`isAbuseVideoIsValid`
			`} from '@server/helpers/custom-validators/abuses'`
Support short uuid for GET video/playlist 2021-06-28 17:30:59 +02:00			`import { exists, isIdOrUUIDValid, isIdValid, toCompleteUUID, toIntOrNull } from '@server/helpers/custom-validators/misc'`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`import { logger } from '@server/helpers/logger'`
Add server API to abuse messages 2020-07-24 15:05:51 +02:00			`import { AbuseMessageModel } from '@server/models/abuse/abuse-message'`
			`import { AbuseCreate, UserRight } from '@shared/models'`
Refactor requests 2021-07-16 10:42:24 +02:00			`import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'`
Move middleware utils in middlewares helpers modules should not import models 2021-06-03 17:33:44 +02:00			`import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared'`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00
			`const abuseReportValidator = [`
Implement abuses check params 2020-07-07 10:57:04 +02:00			`body('account.id')`
			`.optional()`
			`.custom(isIdValid)`
			`.withMessage('Should have a valid accountId'),`

			`body('video.id')`
			`.optional()`
Support short uuid for GET video/playlist 2021-06-28 17:30:59 +02:00			`.customSanitizer(toCompleteUUID)`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`.custom(isIdOrUUIDValid)`
			`.withMessage('Should have a valid videoId'),`
Implement abuses check params 2020-07-07 10:57:04 +02:00			`body('video.startAt')`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`.optional()`
			`.customSanitizer(toIntOrNull)`
			`.custom(isAbuseTimestampValid)`
			`.withMessage('Should have valid starting time value'),`
Implement abuses check params 2020-07-07 10:57:04 +02:00			`body('video.endAt')`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`.optional()`
			`.customSanitizer(toIntOrNull)`
			`.custom(isAbuseTimestampValid)`
			`.withMessage('Should have valid ending time value')`
			`.bail()`
			`.custom(isAbuseTimestampCoherent)`
			`.withMessage('Should have a startAt timestamp beginning before endAt'),`

Implement abuses check params 2020-07-07 10:57:04 +02:00			`body('comment.id')`
			`.optional()`
			`.custom(isIdValid)`
			`.withMessage('Should have a valid commentId'),`

			`body('reason')`
			`.custom(isAbuseReasonValid)`
			`.withMessage('Should have a valid reason'),`

			`body('predefinedReasons')`
			`.optional()`
Add server API to abuse messages 2020-07-24 15:05:51 +02:00			`.custom(areAbusePredefinedReasonsValid)`
Implement abuses check params 2020-07-07 10:57:04 +02:00			`.withMessage('Should have a valid list of predefined reasons'),`

Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`async (req: express.Request, res: express.Response, next: express.NextFunction) => {`
			`logger.debug('Checking abuseReport parameters', { parameters: req.body })`

			`if (areValidationErrors(req, res)) return`

Implement abuses check params 2020-07-07 10:57:04 +02:00			`const body: AbuseCreate = req.body`

			`if (body.video?.id && !await doesVideoExist(body.video.id, res)) return`
			`if (body.account?.id && !await doesAccountIdExist(body.account.id, res)) return`
			`if (body.comment?.id && !await doesCommentIdExist(body.comment.id, res)) return`

			`if (!body.video?.id && !body.account?.id && !body.comment?.id) {`
refactor API errors to standard error format 2021-06-01 01:36:53 +02:00			`res.fail({ message: 'video id or account id or comment id is required.' })`
Implement abuses check params 2020-07-07 10:57:04 +02:00			`return`
			`}`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00
			`return next()`
			`}`
			`]`

			`const abuseGetValidator = [`
			`param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),`

			`async (req: express.Request, res: express.Response, next: express.NextFunction) => {`
			`logger.debug('Checking abuseGetValidator parameters', { parameters: req.body })`

			`if (areValidationErrors(req, res)) return`
Implement abuses check params 2020-07-07 10:57:04 +02:00			`if (!await doesAbuseExist(req.params.id, res)) return`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00
			`return next()`
			`}`
			`]`

			`const abuseUpdateValidator = [`
			`param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),`
Implement abuses check params 2020-07-07 10:57:04 +02:00
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`body('state')`
			`.optional()`
Implement abuses check params 2020-07-07 10:57:04 +02:00			`.custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`body('moderationComment')`
			`.optional()`
Implement abuses check params 2020-07-07 10:57:04 +02:00			`.custom(isAbuseModerationCommentValid).withMessage('Should have a valid moderation comment'),`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00
			`async (req: express.Request, res: express.Response, next: express.NextFunction) => {`
			`logger.debug('Checking abuseUpdateValidator parameters', { parameters: req.body })`

			`if (areValidationErrors(req, res)) return`
Implement abuses check params 2020-07-07 10:57:04 +02:00			`if (!await doesAbuseExist(req.params.id, res)) return`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00
			`return next()`
			`}`
			`]`

Add server API to abuse messages 2020-07-24 15:05:51 +02:00			`const abuseListForAdminsValidator = [`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`query('id')`
			`.optional()`
			`.custom(isIdValid).withMessage('Should have a valid id'),`
Implement abuses check params 2020-07-07 10:57:04 +02:00			`query('filter')`
			`.optional()`
			`.custom(isAbuseFilterValid)`
			`.withMessage('Should have a valid filter'),`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`query('predefinedReason')`
			`.optional()`
			`.custom(isAbusePredefinedReasonValid)`
			`.withMessage('Should have a valid predefinedReason'),`
			`query('search')`
			`.optional()`
			`.custom(exists).withMessage('Should have a valid search'),`
			`query('state')`
			`.optional()`
Add new abuses tests 2020-07-08 15:51:46 +02:00			`.custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`query('videoIs')`
			`.optional()`
			`.custom(isAbuseVideoIsValid).withMessage('Should have a valid "video is" attribute'),`
			`query('searchReporter')`
			`.optional()`
			`.custom(exists).withMessage('Should have a valid reporter search'),`
			`query('searchReportee')`
			`.optional()`
			`.custom(exists).withMessage('Should have a valid reportee search'),`
			`query('searchVideo')`
			`.optional()`
			`.custom(exists).withMessage('Should have a valid video search'),`
			`query('searchVideoChannel')`
			`.optional()`
			`.custom(exists).withMessage('Should have a valid video channel search'),`

			`(req: express.Request, res: express.Response, next: express.NextFunction) => {`
Add server API to abuse messages 2020-07-24 15:05:51 +02:00			`logger.debug('Checking abuseListForAdminsValidator parameters', { parameters: req.body })`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00
			`if (areValidationErrors(req, res)) return`

			`return next()`
			`}`
			`]`

Add server API to abuse messages 2020-07-24 15:05:51 +02:00			`const abuseListForUserValidator = [`
			`query('id')`
			`.optional()`
			`.custom(isIdValid).withMessage('Should have a valid id'),`

			`query('search')`
			`.optional()`
			`.custom(exists).withMessage('Should have a valid search'),`

			`query('state')`
			`.optional()`
			`.custom(isAbuseStateValid).withMessage('Should have a valid abuse state'),`

			`(req: express.Request, res: express.Response, next: express.NextFunction) => {`
			`logger.debug('Checking abuseListForUserValidator parameters', { parameters: req.body })`

			`if (areValidationErrors(req, res)) return`

			`return next()`
			`}`
			`]`

			`const getAbuseValidator = [`
			`param('id').custom(isIdValid).not().isEmpty().withMessage('Should have a valid id'),`

			`async (req: express.Request, res: express.Response, next: express.NextFunction) => {`
			`logger.debug('Checking getAbuseValidator parameters', { parameters: req.body })`

			`if (areValidationErrors(req, res)) return`
			`if (!await doesAbuseExist(req.params.id, res)) return`

			`const user = res.locals.oauth.token.user`
			`const abuse = res.locals.abuse`

			`if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuse.reporterAccountId !== user.Account.id) {`
			const message = `User ${user.username} does not have right to get abuse ${abuse.id}`
			`logger.warn(message)`

refactor API errors to standard error format 2021-06-01 01:36:53 +02:00			`return res.fail({`
			`status: HttpStatusCode.FORBIDDEN_403,`
			`message`
			`})`
Add server API to abuse messages 2020-07-24 15:05:51 +02:00			`}`

			`return next()`
			`}`
			`]`

Add abuse messages management in my account 2020-07-27 11:40:30 +02:00			`const checkAbuseValidForMessagesValidator = [`
			`(req: express.Request, res: express.Response, next: express.NextFunction) => {`
			`logger.debug('Checking checkAbuseValidForMessagesValidator parameters', { parameters: req.body })`

			`const abuse = res.locals.abuse`
			`if (abuse.ReporterAccount.isOwned() === false) {`
refactor API errors to standard error format 2021-06-01 01:36:53 +02:00			`return res.fail({ message: 'This abuse was created by a user of your instance.' })`
Add abuse messages management in my account 2020-07-27 11:40:30 +02:00			`}`

			`return next()`
			`}`
			`]`

Add server API to abuse messages 2020-07-24 15:05:51 +02:00			`const addAbuseMessageValidator = [`
			`body('message').custom(isAbuseMessageValid).not().isEmpty().withMessage('Should have a valid abuse message'),`

			`(req: express.Request, res: express.Response, next: express.NextFunction) => {`
			`logger.debug('Checking addAbuseMessageValidator parameters', { parameters: req.body })`

			`if (areValidationErrors(req, res)) return`

			`return next()`
			`}`
			`]`

			`const deleteAbuseMessageValidator = [`
			`param('messageId').custom(isIdValid).not().isEmpty().withMessage('Should have a valid message id'),`

			`async (req: express.Request, res: express.Response, next: express.NextFunction) => {`
			`logger.debug('Checking deleteAbuseMessageValidator parameters', { parameters: req.body })`

			`if (areValidationErrors(req, res)) return`

			`const user = res.locals.oauth.token.user`
			`const abuse = res.locals.abuse`

			`const messageId = parseInt(req.params.messageId + '', 10)`
			`const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id)`

			`if (!abuseMessage) {`
refactor API errors to standard error format 2021-06-01 01:36:53 +02:00			`return res.fail({`
			`status: HttpStatusCode.NOT_FOUND_404,`
			`message: 'Abuse message not found'`
			`})`
Add server API to abuse messages 2020-07-24 15:05:51 +02:00			`}`

			`if (user.hasRight(UserRight.MANAGE_ABUSES) !== true && abuseMessage.accountId !== user.Account.id) {`
refactor API errors to standard error format 2021-06-01 01:36:53 +02:00			`return res.fail({`
			`status: HttpStatusCode.FORBIDDEN_403,`
			`message: 'Cannot delete this abuse message'`
			`})`
Add server API to abuse messages 2020-07-24 15:05:51 +02:00			`}`

			`res.locals.abuseMessage = abuseMessage`

			`return next()`
			`}`
			`]`

Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`// ---------------------------------------------------------------------------`

			`export {`
Add server API to abuse messages 2020-07-24 15:05:51 +02:00			`abuseListForAdminsValidator,`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`abuseReportValidator,`
			`abuseGetValidator,`
Add server API to abuse messages 2020-07-24 15:05:51 +02:00			`addAbuseMessageValidator,`
Add abuse messages management in my account 2020-07-27 11:40:30 +02:00			`checkAbuseValidForMessagesValidator,`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`abuseUpdateValidator,`
Add server API to abuse messages 2020-07-24 15:05:51 +02:00			`deleteAbuseMessageValidator,`
			`abuseListForUserValidator,`
Remove deprecated abuse api 2020-11-10 14:41:20 +01:00			`getAbuseValidator`
Use 3 tables to represent abuses 2020-07-01 16:05:30 +02:00			`}`