Ensure correct treatment of auth and transient users
This commit establishes consistency in retrieval of users and responses between `org.keycloak.admin.ui.rest.UsersResource.getUser(String)` and `org.keycloak.services.resources.admin.UsersResource.user(String)` Fixes: #28666 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
This commit is contained in:
parent
5e0d323304
commit
146204c5cd
2 changed files with 21 additions and 4 deletions
|
@ -57,6 +57,6 @@ public final class AdminExtResource {
|
|||
|
||||
@Path("/users")
|
||||
public UsersResource users() {
|
||||
return new UsersResource(session);
|
||||
return new UsersResource(session, auth);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,21 +6,38 @@ import jakarta.ws.rs.PathParam;
|
|||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.UserModel;
|
||||
import org.keycloak.models.UserSessionModel;
|
||||
import org.keycloak.models.light.LightweightUserAdapter;
|
||||
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
|
||||
import jakarta.ws.rs.ForbiddenException;
|
||||
|
||||
public class UsersResource {
|
||||
private final KeycloakSession session;
|
||||
|
||||
public UsersResource(KeycloakSession session) {
|
||||
private final AdminPermissionEvaluator auth;
|
||||
|
||||
public UsersResource(KeycloakSession session, AdminPermissionEvaluator auth) {
|
||||
this.session = session;
|
||||
this.auth = auth;
|
||||
}
|
||||
|
||||
@Path("{id}")
|
||||
public UserResource getUser(@PathParam("id") String id) {
|
||||
RealmModel realm = session.getContext().getRealm();
|
||||
UserModel user = session.users().getUserById(realm, id);
|
||||
UserModel user = null;
|
||||
if (LightweightUserAdapter.isLightweightUser(id)) {
|
||||
UserSessionModel userSession = session.sessions().getUserSession(realm, LightweightUserAdapter.getLightweightUserId(id));
|
||||
if (userSession != null) {
|
||||
user = userSession.getUser();
|
||||
}
|
||||
} else {
|
||||
user = session.users().getUserById(realm, id);
|
||||
}
|
||||
|
||||
if (user == null) {
|
||||
throw new NotFoundException();
|
||||
// we do this to make sure somebody can't phish ids
|
||||
if (auth.users().canQuery()) throw new NotFoundException("User not found");
|
||||
else throw new ForbiddenException();
|
||||
}
|
||||
|
||||
return new UserResource(session, user);
|
||||
|
|
Loading…
Reference in a new issue