mirror of
https://github.com/Chocobozzz/PeerTube.git
synced 2025-10-03 09:49:20 +02:00
334ad174a9
Use a more robust approach by requiring the caller to choose if it needs to check the actor is local and/or the user can manage it
29 lines
1.1 KiB
TypeScript
29 lines
1.1 KiB
TypeScript
import { BulkRemoveCommentsOfBody, HttpStatusCode, UserRight } from '@peertube/peertube-models'
|
|
import { isBulkRemoveCommentsOfScopeValid } from '@server/helpers/custom-validators/bulk.js'
|
|
import express from 'express'
|
|
import { body } from 'express-validator'
|
|
import { areValidationErrors, doesAccountHandleExist } from './shared/index.js'
|
|
|
|
export const bulkRemoveCommentsOfValidator = [
|
|
body('accountName')
|
|
.exists(),
|
|
body('scope')
|
|
.custom(isBulkRemoveCommentsOfScopeValid),
|
|
|
|
async (req: express.Request, res: express.Response, next: express.NextFunction) => {
|
|
if (areValidationErrors(req, res)) return
|
|
if (!await doesAccountHandleExist({ handle: req.body.accountName, res, checkIsLocal: false, checkManage: false })) return
|
|
|
|
const user = res.locals.oauth.token.User
|
|
const body = req.body as BulkRemoveCommentsOfBody
|
|
|
|
if (body.scope === 'instance' && user.hasRight(UserRight.MANAGE_ANY_VIDEO_COMMENT) !== true) {
|
|
return res.fail({
|
|
status: HttpStatusCode.FORBIDDEN_403,
|
|
message: 'User cannot remove any comments of this instance.'
|
|
})
|
|
}
|
|
|
|
return next()
|
|
}
|
|
]
|