f50f3eaa988aa8248c0bb4313baaff4f2338b54b,api/src/main/java/org/searchisko/api/service/SearchService.java,SearchService,setSearchRequestFields,#QuerySettings#SearchRequestBuilder#,604
Before Change
protected void setSearchRequestFields(QuerySettings querySettings, SearchRequestBuilder srb) {
// handle 'field' params to return configured fields only. Use default set of fields loaded from configuration.
if (querySettings.getFields() != null) {
srb.addFields((querySettings.getFields()).toArray(new String[querySettings.getFields().size()]));
} else {
Map<String, Object> cf = configService.get(ConfigService.CFGNAME_SEARCH_RESPONSE_FIELDS);
if (cf != null && cf.containsKey(ConfigService.CFGNAME_SEARCH_RESPONSE_FIELDS)) {
Object o = cf.get(ConfigService.CFGNAME_SEARCH_RESPONSE_FIELDS);
if (o instanceof Collection) {
srb.addFields(((Collection<String>) o).toArray(new String[((Collection) o).size()]));
} else if (o instanceof String) {
srb.addField((String) o);
} else {
After Change
List<String> fields = null;
if (querySettings.getFields() != null) {
fields = querySettings.getFields();
} else {
try {
fields = SearchUtils.getListOfStringsFromJsonMap(cf, ConfigService.CFGNAME_SEARCH_RESPONSE_FIELDS);
} catch (ClassCastException e) {
throw new SettingsException(ConfigService.CFGNAME_SEARCH_RESPONSE_FIELDS
+ " configuration document is invalid.");
}
}
if (fields != null && !fields.isEmpty()) {
if (cf != null) {
@SuppressWarnings("unchecked")
Map<String, Object> cfgFieldsPermissions = (Map<String, Object>) cf.get(CFGNAME_FIELD_VISIBLE_FOR_ROLES);
if (cfgFieldsPermissions != null && !cfgFieldsPermissions.isEmpty()
&& !authenticationUtilService.isUserInRole(Role.ADMIN)) {
List<String> fieldsFiltered = new ArrayList<>();
for (String field : fields) {
List<String> roles = SearchUtils.getListOfStringsFromJsonMap(cfgFieldsPermissions, field);
if (roles != null && !roles.isEmpty()) {
if (authenticationUtilService.isUserInAnyOfRoles(false, roles)) {
fieldsFiltered.add(field);
}
} else {
fieldsFiltered.add(field);
}
}
if (fieldsFiltered.isEmpty()) {
throw new NotAuthorizedException("No permission to show any of requested content fields.");
}
fields = fieldsFiltered;
}
}
srb.addFields((fields).toArray(new String[fields.size()]));
}
}