Source is used when adding data but we don't currently validate whether a user has view permission on a given source when checking if it exists. We should fix this; the proper fix will rely on #1785
