Add ability for video owners to delete comments

2020-05-05 17:22:11 +02:00 · 2020-05-05 17:22:11 +02:00 · fde37dc99c
commit fde37dc99c
parent 298b3fd315
3 changed files with 54 additions and 10 deletions
--- a/client/src/app/videos/+video-watch/comment/video-comment.component.ts
+++ b/client/src/app/videos/+video-watch/comment/video-comment.component.ts
@ -98,6 +98,7 @@ export class VideoCommentComponent implements OnInit, OnChanges {
    return this.comment.account && this.isUserLoggedIn() &&
      (
        this.user.account.id === this.comment.account.id ||
+        this.user.account.id === this.video.account.id ||
        this.user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT)
      )
  }
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@ -9,8 +9,8 @@ import { areValidationErrors } from '../utils'
 import { Hooks } from '../../../lib/plugins/hooks'
 import { AcceptResult, isLocalVideoCommentReplyAccepted, isLocalVideoThreadAccepted } from '../../../lib/moderation'
 import { doesVideoExist } from '../../../helpers/middlewares'
-import { MCommentOwner, MVideo, MVideoFullLight, MVideoId } from '../../../typings/models/video'
-import { MUser } from '@server/typings/models'
+import { MCommentOwner, MVideo, MVideoFullLight, MVideoId, MCommentOwnerVideoReply } from '../../../typings/models/video'
+import { MUser, MUserAccountUrl } from '@server/typings/models'

 const listVideoCommentThreadsValidator = [
  param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid videoId'),
@ -188,7 +188,7 @@ function isVideoCommentsEnabled (video: MVideo, res: express.Response) {
  return true
 }

-function checkUserCanDeleteVideoComment (user: MUser, videoComment: MCommentOwner, res: express.Response) {
+function checkUserCanDeleteVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) {
  if (videoComment.isDeleted()) {
    res.status(409)
      .json({ error: 'This comment is already deleted' })
@ -196,11 +196,16 @@ function checkUserCanDeleteVideoComment (user: MUser, videoComment: MCommentOwne
    return false
  }

-  const account = videoComment.Account
-  if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && account.userId !== user.id) {
+  const userAccount = user.Account
+
+  if (
+    user.hasRight(UserRight.REMOVE_ANY_VIDEO_COMMENT) === false && // Not a moderator
+    videoComment.accountId !== userAccount.id && // Not the comment owner
+    videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner
+  ) {
    res.status(403)
      .json({ error: 'Cannot remove video comment of another user' })
-      .end()
+
    return false
  }

--- a/server/tests/api/check-params/video-comments.ts
+++ b/server/tests/api/check-params/video-comments.ts
@ -29,6 +29,7 @@ describe('Test video comments API validator', function () {
  let server: ServerInfo
  let videoUUID: string
  let userAccessToken: string
+  let userAccessToken2: string
  let commentId: number

  // ---------------------------------------------------------------
@ -53,13 +54,16 @@ describe('Test video comments API validator', function () {
    }

    {
-      const user = {
-        username: 'user1',
-        password: 'my super password'
-      }
+      const user = { username: 'user1', password: 'my super password' }
      await createUser({ url: server.url, accessToken: server.accessToken, username: user.username, password: user.password })
      userAccessToken = await userLogin(server, user)
    }
+
+    {
+      const user = { username: 'user2', password: 'my super password' }
+      await createUser({ url: server.url, accessToken: server.accessToken, username: user.username, password: user.password })
+      userAccessToken2 = await userLogin(server, user)
+    }
  })

  describe('When listing video comment threads', function () {
@ -224,6 +228,40 @@ describe('Test video comments API validator', function () {
      await makeDeleteRequest({ url: server.url, path, token: server.accessToken, statusCodeExpected: 404 })
    })

+    it('Should succeed with the same user', async function () {
+      let commentToDelete: number
+
+      {
+        const res = await addVideoCommentThread(server.url, userAccessToken, videoUUID, 'hello')
+        commentToDelete = res.body.comment.id
+      }
+
+      const path = '/api/v1/videos/' + videoUUID + '/comments/' + commentToDelete
+
+      await makeDeleteRequest({ url: server.url, path, token: userAccessToken2, statusCodeExpected: 403 })
+      await makeDeleteRequest({ url: server.url, path, token: userAccessToken, statusCodeExpected: 204 })
+    })
+
+    it('Should succeed with the owner of the video', async function () {
+      let commentToDelete: number
+      let anotherVideoUUID: string
+
+      {
+        const res = await uploadVideo(server.url, userAccessToken, { name: 'video' })
+        anotherVideoUUID = res.body.video.uuid
+      }
+
+      {
+        const res = await addVideoCommentThread(server.url, server.accessToken, anotherVideoUUID, 'hello')
+        commentToDelete = res.body.comment.id
+      }
+
+      const path = '/api/v1/videos/' + anotherVideoUUID + '/comments/' + commentToDelete
+
+      await makeDeleteRequest({ url: server.url, path, token: userAccessToken2, statusCodeExpected: 403 })
+      await makeDeleteRequest({ url: server.url, path, token: userAccessToken, statusCodeExpected: 204 })
+    })
+
    it('Should succeed with the correct parameters', async function () {
      await makeDeleteRequest({ url: server.url, path: pathComment, token: server.accessToken, statusCodeExpected: 204 })
    })