[KEYCLOAK-18693] - Declarative profile validating read-only attribute if it exists

server-spi-private/src/main/java/org/keycloak/userprofile/AttributeMetadata.java

@@ -124,6 +124,10 @@ public final class AttributeMetadata {
         return readAllowed.test(context);
     }
 
+    public boolean canEdit(AttributeContext context) {
+        return writeAllowed.test(context);
+    }
+
     /**
      * Check if attribute is required based on it's predicate, it is handled as required if predicate is null
      * @param context to evaluate requirement of the attribute from

services/src/main/java/org/keycloak/userprofile/DeclarativeAttributes.java

@@ -43,6 +43,6 @@ public class DeclarativeAttributes extends DefaultAttributes {
 
     @Override
     protected boolean isIncludeAttributeIfNotProvided(AttributeMetadata metadata) {
-        return !metadata.canView(createAttributeContext(metadata));
+        return !metadata.canEdit(createAttributeContext(metadata));
     }
 }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionUpdateProfileWithUserProfileTest.java

@@ -273,6 +273,33 @@ public class RequiredActionUpdateProfileWithUserProfileTest extends RequiredActi
         assertEquals("First", user.getFirstName());
         assertEquals("Last", user.getLastName());
     }
+
+    @Test
+    public void testRequiredReadOnlyExistingAttribute() {
+        updateUserByUsername(USERNAME1, "first", "last", "foo");
+        setUserProfileConfiguration("{\"attributes\": ["
+                + "{\"name\": \"firstName\"," + PERMISSIONS_ALL + ", \"required\": {}},"
+                + "{\"name\": \"lastName\"," + PERMISSIONS_ALL + "},"
+                + "{\"name\": \"department\"," + PERMISSIONS_ADMIN_EDITABLE + ", \"required\":{}}"
+                + "]}");
+
+        loginPage.open();
+        loginPage.login(USERNAME1, PASSWORD);
+
+        updateProfilePage.assertCurrent();
+        Assert.assertEquals("last", updateProfilePage.getLastName());
+        Assert.assertFalse(updateProfilePage.isDepartmentEnabled());
+
+        //update of the other attributes must be successful in this case
+        updateProfilePage.update("First", "Last", USERNAME1, USERNAME1);
+
+        Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
+        Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
+
+        UserRepresentation user = getUserByUsername(USERNAME1);
+        assertEquals("First", user.getFirstName());
+        assertEquals("Last", user.getLastName());
+    }
     
     @Test
     public void testAttributeNotVisible() {

themes/src/main/resources/theme/base/account/messages/messages_en.properties

@@ -388,3 +388,4 @@ error-invalid-uri=Invalid URL.
 error-invalid-uri-scheme=Invalid URL scheme.
 error-invalid-uri-fragment=Invalid URL fragment.
 error-user-attribute-required=Please specify attribute {0}.
+error-user-attribute-read-only=The field {0} is read only.

themes/src/main/resources/theme/base/login/messages/messages_en.properties

@@ -219,6 +219,7 @@ error-invalid-uri=Invalid URL.
 error-invalid-uri-scheme=Invalid URL scheme.
 error-invalid-uri-fragment=Invalid URL fragment.
 error-user-attribute-required=Please specify this field.
+error-user-attribute-read-only=This field is read only.
 
 invalidPasswordExistingMessage=Invalid existing password.
 invalidPasswordBlacklistedMessage=Invalid password: password is blacklisted.