X-Git-Url: https://git.librecmc.org/?p=oweals%2Fpeertube.git;a=blobdiff_plain;f=server%2Fmiddlewares%2Fvalidators%2Fvideos%2Fvideo-comments.ts;h=ef019fcf915f126f622c4c3df08d7dec00fe21c5;hp=da2fafb10aaa32d6033244187b2fda2c5a72367a;hb=26d6bf6533023326fa017812cf31bbe20c752d36;hpb=a3b7421abb4192e215aa280418b62e96958c5e42

diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index da2fafb10..ef019fcf9 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -1,16 +1,16 @@
 import * as express from 'express'
 import { body, param } from 'express-validator'
+import { MUserAccountUrl } from '@server/types/models'
 import { UserRight } from '../../../../shared'
 import { isIdOrUUIDValid, isIdValid } from '../../../helpers/custom-validators/misc'
 import { isValidVideoCommentText } from '../../../helpers/custom-validators/video-comments'
 import { logger } from '../../../helpers/logger'
+import { doesVideoExist } from '../../../helpers/middlewares'
+import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
+import { Hooks } from '../../../lib/plugins/hooks'
 import { VideoCommentModel } from '../../../models/video/video-comment'
+import { MCommentOwnerVideoReply, MVideo, MVideoFullLight, MVideoId } from '../../../types/models/video'
 import { areValidationErrors } from '../utils'
-import { Hooks } from '../../../lib/plugins/hooks'
-import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
-import { doesVideoExist } from '../../../helpers/middlewares'
-import { MCommentOwner, MVideo, MVideoFullLight, MVideoId } from '../../../typings/models/video'
-import { MUser } from '@server/typings/models'
 
 const listVideoCommentThreadsValidator = [
   param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'),
@@ -188,7 +188,7 @@ function isVideoCommentsEnabled (video: MVideo, res: express.Response) {
   return true
 }
 
-function checkUserCanDeleteVideoComment (user: MUser, videoComment: MCommentOwner, res: express.Response) {
+function checkUserCanDeleteVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) {
   if (videoComment.isDeleted()) {
     res.status(409)
       .json({ error: 'This comment is already deleted' })
@@ -196,11 +196,16 @@ function checkUserCanDeleteVideoComment (user: MUser, videoComment: MCommentOwne
     return false
   }
 
-  const account = videoComment.Account
-  if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && account.userId !== user.id) {
+  const userAccount = user.Account
+
+  if (
+    user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && // Not a moderator
+    videoComment.accountId !== userAccount.id && // Not the comment owner
+    videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner
+  ) {
     res.status(403)
       .json({ error: 'Cannot remove video comment of another user' })
-      .end()
+
     return false
   }