diff --git a/core/db/elastic.py b/core/db/elastic.py index 19b9674..700d727 100644 --- a/core/db/elastic.py +++ b/core/db/elastic.py @@ -542,6 +542,10 @@ class ElasticsearchBackend(StorageBackend): total_sources = ( len(settings.MAIN_SOURCES) - 1 + len(settings.SOURCES_RESTRICTED) ) + + # If the sources the user has access to are equal to all + # possible sources, then we don't need to add the source + # filter to the query. if total_count != total_sources: add_top_tmp = {"bool": {"should": []}} for source_iter in sources: diff --git a/core/lib/parsing.py b/core/lib/parsing.py index 31ce031..ec7d283 100644 --- a/core/lib/parsing.py +++ b/core/lib/parsing.py @@ -98,6 +98,7 @@ def parse_source(user, query_params, raise_error=False): if "source" in query_params: source = query_params["source"] + # Validate permissions for restricted sources if source in settings.SOURCES_RESTRICTED: if not user.has_perm("core.restricted_sources"): message = f"Access denied: {source}" @@ -105,6 +106,8 @@ def parse_source(user, query_params, raise_error=False): raise QueryError(message) message_class = "danger" return {"message": message, "class": message_class} + + # Check validity of source elif source not in settings.MAIN_SOURCES: message = f"Invalid source: {source}" if raise_error: @@ -118,11 +121,17 @@ def parse_source(user, query_params, raise_error=False): if source: sources = [source] else: + # Here we need to populate what "all" means for the user. + # They may only have access to a subset of the sources. + # We build a custom source list with ones they have access + # to, and then remove "all" from the list. sources = list(settings.MAIN_SOURCES) if user.has_perm("core.restricted_sources"): + # If the user can use restricted sources, add them in. for source_iter in settings.SOURCES_RESTRICTED: sources.append(source_iter) + # Get rid of "all", it's just a meta-source if "all" in sources: sources.remove("all")