diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UsersResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UsersResource.java index b5fa96d568..f478e0b392 100755 --- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UsersResource.java +++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UsersResource.java @@ -49,8 +49,17 @@ public interface UsersResource { @GET @Produces(MediaType.APPLICATION_JSON) List search(@QueryParam("search") String search, - @QueryParam("first") Integer firstResult, - @QueryParam("max") Integer maxResults); + @QueryParam("first") Integer firstResult, + @QueryParam("max") Integer maxResults); + + @GET + @Produces(MediaType.APPLICATION_JSON) + List list(@QueryParam("first") Integer firstResult, + @QueryParam("max") Integer maxResults); + + @GET + @Produces(MediaType.APPLICATION_JSON) + List list(); @POST @Consumes(MediaType.APPLICATION_JSON) @@ -67,4 +76,6 @@ public interface UsersResource { @Path("{id}") @DELETE Response delete(@PathParam("id") String id); + + } diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java index c6aa3c6434..c2a46894f2 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java @@ -98,6 +98,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag Set scopeset = new HashSet<>(); scopeset.add(manageScope); scopeset.add(viewScope); + scopeset.add(viewMembersScope); scopeset.add(manageMembershipScope); scopeset.add(manageMembersScope); groupResource.updateScopes(scopeset); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java index 7c4314ab34..1df661285f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java @@ -294,8 +294,18 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { clientConfigurePolicy.addAssociatedPolicy(userPolicy); + UserModel groupViewer = session.users().addUser(realm, "groupViewer"); + groupViewer.grantRole(queryGroupsRole); + groupViewer.grantRole(queryUsersRole); + groupViewer.setEnabled(true); + session.userCredentialManager().updateCredential(realm, groupViewer, UserCredentialModel.password("password")); - + UserPolicyRepresentation groupViewMembersRep = new UserPolicyRepresentation(); + groupViewMembersRep.setName("groupMemberViewers"); + groupViewMembersRep.addUser("groupViewer"); + Policy groupViewMembersPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(groupViewMembersRep, server); + Policy groupViewMembersPermission = permissions.groups().viewMembersPermission(group); + groupViewMembersPermission.addAssociatedPolicy(groupViewMembersPolicy); } @@ -600,7 +610,19 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { } } + // KEYCLOAK-5878 + { + Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), + TEST, "groupViewer", "password", Constants.ADMIN_CLI_CLIENT_ID, null); + // Should only return the list of users that belong to "top" group + List queryUsers = realmClient.realm(TEST).users().list(); + Assert.assertEquals(queryUsers.size(), 1); + Assert.assertEquals("groupmember", queryUsers.get(0).getUsername()); + for (UserRepresentation user : queryUsers) { + System.out.println(user.getUsername()); + } + } } @Test