KEYCLOAK-3105 Can't access single realm with the admin user from master realm

This commit is contained in:
mposolda 2016-06-13 12:08:58 +02:00
parent 443772d5ec
commit 1510ac5eb4
2 changed files with 14 additions and 4 deletions

View file

@ -105,15 +105,16 @@ public class RealmsAdminResource {
ClientModel adminApp = auth.getRealm().getClientByClientId(realmManager.getRealmAdminClientId(auth.getRealm()));
addRealmRep(reps, auth.getRealm(), adminApp);
}
if (reps.isEmpty()) {
throw new ForbiddenException();
}
logger.debug(("getRealms()"));
return reps;
}
protected void addRealmRep(List<RealmRepresentation> reps, RealmModel realm, ClientModel realmManagementClient) {
if (!auth.hasOneOfAppRole(realmManagementClient, AdminRoles.ALL_REALM_ROLES)) {
throw new ForbiddenException();
}
if (auth.hasAppRole(realmManagementClient, AdminRoles.VIEW_REALM)) {
reps.add(ModelToRepresentation.toRepresentation(realm, false));
} else if (auth.hasOneOfAppRole(realmManagementClient, AdminRoles.ALL_REALM_ROLES)) {

View file

@ -182,6 +182,15 @@ public class PermissionsTest extends AbstractKeycloakTest {
Assert.assertNames(realms, REALM_NAME);
assertNotNull(realms.get(0).getAccessTokenLifespan());
// Check the same when access with users from 'master' realm
realms = clients.get("master-" + AdminRoles.VIEW_USERS).realms().findAll();
Assert.assertNames(realms, REALM_NAME);
assertGettersEmpty(realms.get(0));
realms = clients.get("master-" + AdminRoles.VIEW_REALM).realms().findAll();
Assert.assertNames(realms, REALM_NAME);
assertNotNull(realms.get(0).getAccessTokenLifespan());
// Create realm
invoke(new Invocation() {
public void invoke(RealmResource realm) {