Merge pull request #4726 from patriot1burke/master

KEYCLOAK-5878

integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UsersResource.java

@@ -49,8 +49,17 @@ public interface UsersResource {
     @GET
     @Produces(MediaType.APPLICATION_JSON)
     List<UserRepresentation> search(@QueryParam("search") String search,
-                                           @QueryParam("first") Integer firstResult,
+                                    @QueryParam("first") Integer firstResult,
-                                           @QueryParam("max") Integer maxResults);
+                                    @QueryParam("max") Integer maxResults);
+
+    @GET
+    @Produces(MediaType.APPLICATION_JSON)
+    List<UserRepresentation> list(@QueryParam("first") Integer firstResult,
+                                  @QueryParam("max") Integer maxResults);
+
+    @GET
+    @Produces(MediaType.APPLICATION_JSON)
+    List<UserRepresentation> list();
 
     @POST
     @Consumes(MediaType.APPLICATION_JSON)
@@ -67,4 +76,6 @@ public interface UsersResource {
     @Path("{id}")
     @DELETE
     Response delete(@PathParam("id") String id);
+
+
 }

services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java

@@ -98,6 +98,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag
             Set<Scope> scopeset = new HashSet<>();
             scopeset.add(manageScope);
             scopeset.add(viewScope);
+            scopeset.add(viewMembersScope);
             scopeset.add(manageMembershipScope);
             scopeset.add(manageMembersScope);
             groupResource.updateScopes(scopeset);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java

@@ -294,8 +294,18 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
         clientConfigurePolicy.addAssociatedPolicy(userPolicy);
 
 
+        UserModel groupViewer = session.users().addUser(realm, "groupViewer");
+        groupViewer.grantRole(queryGroupsRole);
+        groupViewer.grantRole(queryUsersRole);
+        groupViewer.setEnabled(true);
+        session.userCredentialManager().updateCredential(realm, groupViewer, UserCredentialModel.password("password"));
 
-
+        UserPolicyRepresentation groupViewMembersRep = new UserPolicyRepresentation();
+        groupViewMembersRep.setName("groupMemberViewers");
+        groupViewMembersRep.addUser("groupViewer");
+        Policy groupViewMembersPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(groupViewMembersRep, server);
+        Policy groupViewMembersPermission = permissions.groups().viewMembersPermission(group);
+        groupViewMembersPermission.addAssociatedPolicy(groupViewMembersPolicy);
 
 
     }
@@ -600,7 +610,19 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
             }
         }
 
+        // KEYCLOAK-5878
 
+        {
+            Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
+                    TEST, "groupViewer", "password", Constants.ADMIN_CLI_CLIENT_ID, null);
+            // Should only return the list of users that belong to "top" group
+            List<UserRepresentation> queryUsers = realmClient.realm(TEST).users().list();
+            Assert.assertEquals(queryUsers.size(), 1);
+            Assert.assertEquals("groupmember", queryUsers.get(0).getUsername());
+            for (UserRepresentation user : queryUsers) {
+                System.out.println(user.getUsername());
+            }
+        }
     }
 
     @Test