import { Hooks } from '../../../lib/plugins/hooks'
import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
import { doesVideoExist } from '../../../helpers/middlewares'
-import { MCommentOwner, MVideo, MVideoFullLight, MVideoId } from '../../../typings/models/video'
-import { MUser } from '@server/typings/models'
+import { MCommentOwner, MVideo, MVideoFullLight, MVideoId, MCommentOwnerVideoReply } from '../../../typings/models/video'
+import { MUser, MUserAccountUrl } from '@server/typings/models'
const listVideoCommentThreadsValidator = [
param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'),
return true
}
-function checkUserCanDeleteVideoComment (user: MUser, videoComment: MCommentOwner, res: express.Response) {
+function checkUserCanDeleteVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) {
if (videoComment.isDeleted()) {
res.status(409)
.json({ error: 'This comment is already deleted' })
return false
}
- const account = videoComment.Account
- if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && account.userId !== user.id) {
+ const userAccount = user.Account
+
+ if (
+ user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && // Not a moderator
+ videoComment.accountId !== userAccount.id && // Not the comment owner
+ videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner
+ ) {
res.status(403)
.json({ error: 'Cannot remove video comment of another user' })
- .end()
+
return false
}
let server: ServerInfo
let videoUUID: string
let userAccessToken: string
+ let userAccessToken2: string
let commentId: number
// ---------------------------------------------------------------
}
{
- const user = {
- username: 'user1',
- password: 'my super password'
- }
+ const user = { username: 'user1', password: 'my super password' }
await createUser({ url: server.url, accessToken: server.accessToken, username: user.username, password: user.password })
userAccessToken = await userLogin(server, user)
}
+
+ {
+ const user = { username: 'user2', password: 'my super password' }
+ await createUser({ url: server.url, accessToken: server.accessToken, username: user.username, password: user.password })
+ userAccessToken2 = await userLogin(server, user)
+ }
})
describe('When listing video comment threads', function () {
await makeDeleteRequest({ url: server.url, path, token: server.accessToken, statusCodeExpected: 404 })
})
+ it('Should succeed with the same user', async function () {
+ let commentToDelete: number
+
+ {
+ const res = await addVideoCommentThread(server.url, userAccessToken, videoUUID, 'hello')
+ commentToDelete = res.body.comment.id
+ }
+
+ const path = '/api/v1/videos/' + videoUUID + '/comments/' + commentToDelete
+
+ await makeDeleteRequest({ url: server.url, path, token: userAccessToken2, statusCodeExpected: 403 })
+ await makeDeleteRequest({ url: server.url, path, token: userAccessToken, statusCodeExpected: 204 })
+ })
+
+ it('Should succeed with the owner of the video', async function () {
+ let commentToDelete: number
+ let anotherVideoUUID: string
+
+ {
+ const res = await uploadVideo(server.url, userAccessToken, { name: 'video' })
+ anotherVideoUUID = res.body.video.uuid
+ }
+
+ {
+ const res = await addVideoCommentThread(server.url, server.accessToken, anotherVideoUUID, 'hello')
+ commentToDelete = res.body.comment.id
+ }
+
+ const path = '/api/v1/videos/' + anotherVideoUUID + '/comments/' + commentToDelete
+
+ await makeDeleteRequest({ url: server.url, path, token: userAccessToken2, statusCodeExpected: 403 })
+ await makeDeleteRequest({ url: server.url, path, token: userAccessToken, statusCodeExpected: 204 })
+ })
+
it('Should succeed with the correct parameters', async function () {
await makeDeleteRequest({ url: server.url, path: pathComment, token: server.accessToken, statusCodeExpected: 204 })
})
projects / oweals / peertube.git / commitdiff