f50f3eaa988aa8248c0bb4313baaff4f2338b54b,api/src/main/java/org/searchisko/api/service/SearchService.java,SearchService,setSearchRequestFields,#QuerySettings#SearchRequestBuilder#,604

Before Change


	protected void setSearchRequestFields(QuerySettings querySettings, SearchRequestBuilder srb) {

		// handle 'field' params to return configured fields only. Use default set of fields loaded from configuration.
		if (querySettings.getFields() != null) {
			srb.addFields((querySettings.getFields()).toArray(new String[querySettings.getFields().size()]));
		} else {
			Map<String, Object> cf = configService.get(ConfigService.CFGNAME_SEARCH_RESPONSE_FIELDS);
			if (cf != null && cf.containsKey(ConfigService.CFGNAME_SEARCH_RESPONSE_FIELDS)) {
				Object o = cf.get(ConfigService.CFGNAME_SEARCH_RESPONSE_FIELDS);
				if (o instanceof Collection) {
					srb.addFields(((Collection<String>) o).toArray(new String[((Collection) o).size()]));
				} else if (o instanceof String) {
					srb.addField((String) o);
				} else {

After Change



		List<String> fields = null;

		if (querySettings.getFields() != null) {
			fields = querySettings.getFields();
		} else {
			try {
				fields = SearchUtils.getListOfStringsFromJsonMap(cf, ConfigService.CFGNAME_SEARCH_RESPONSE_FIELDS);
			} catch (ClassCastException e) {
				throw new SettingsException(ConfigService.CFGNAME_SEARCH_RESPONSE_FIELDS
						+ " configuration document is invalid.");
			}

		}

		if (fields != null && !fields.isEmpty()) {
			if (cf != null) {
				@SuppressWarnings("unchecked")
				Map<String, Object> cfgFieldsPermissions = (Map<String, Object>) cf.get(CFGNAME_FIELD_VISIBLE_FOR_ROLES);
				if (cfgFieldsPermissions != null && !cfgFieldsPermissions.isEmpty()
						&& !authenticationUtilService.isUserInRole(Role.ADMIN)) {
					List<String> fieldsFiltered = new ArrayList<>();
					for (String field : fields) {
						List<String> roles = SearchUtils.getListOfStringsFromJsonMap(cfgFieldsPermissions, field);
						if (roles != null && !roles.isEmpty()) {
							if (authenticationUtilService.isUserInAnyOfRoles(false, roles)) {
								fieldsFiltered.add(field);
							}
						} else {
							fieldsFiltered.add(field);
						}
					}
					if (fieldsFiltered.isEmpty()) {
						throw new NotAuthorizedException("No permission to show any of requested content fields.");
					}
					fields = fieldsFiltered;
				}
			}

			srb.addFields((fields).toArray(new String[fields.size()]));
		}

	}