fixed fine grain permissions (#16668)

fixes: #3700
This commit is contained in:
Erik Jan de Wit 2023-01-28 16:13:53 +01:00 committed by GitHub
parent 5f8ee1c49d
commit 6736f31952
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 5 deletions

View file

@ -65,7 +65,7 @@ public class AvailableRoleMappingResource extends RoleMappingResource {
throw new NotFoundException("Could not find client scope");
} else {
this.auth.clients().requireView(scopeModel);
return this.mapping(((Predicate<RoleModel>) scopeModel::hasDirectScope).negate(), first, max, search);
return this.mapping(((Predicate<RoleModel>) scopeModel::hasDirectScope).negate(), auth.roles()::canMapClientScope, first, max, search);
}
}

View file

@ -60,7 +60,7 @@ public class EffectiveRoleMappingResource extends RoleMappingResource {
}
this.auth.clients().requireView(clientScope);
return this.mapping(clientScope::hasScope).collect(Collectors.toList());
return this.mapping(clientScope::hasScope, auth.roles()::canMapClientScope).collect(Collectors.toList());
}
@GET

View file

@ -21,13 +21,23 @@ public abstract class RoleMappingResource {
this.auth = auth;
}
public final Stream<ClientRole> mapping(Predicate<RoleModel> predicate) {
protected final Stream<ClientRole> mapping(Predicate<RoleModel> predicate) {
return realm.getClientsStream().flatMap(RoleContainerModel::getRolesStream).filter(predicate)
.filter(auth.roles()::canMapClientScope).map(roleModel -> convertToModel(roleModel, realm.getClientsStream()));
.filter(auth.roles()::canMapRole).map(roleModel -> convertToModel(roleModel, realm.getClientsStream()));
}
public final List<ClientRole> mapping(Predicate<RoleModel> predicate, long first, long max, final String search) {
protected final Stream<ClientRole> mapping(Predicate<RoleModel> predicate, Predicate<RoleModel> authPredicate) {
return realm.getClientsStream().flatMap(RoleContainerModel::getRolesStream).filter(predicate)
.filter(authPredicate).map(roleModel -> convertToModel(roleModel, realm.getClientsStream()));
}
protected final List<ClientRole> mapping(Predicate<RoleModel> predicate, long first, long max, final String search) {
return mapping(predicate).filter(clientRole -> clientRole.getClient().contains(search) || clientRole.getRole().contains(search))
.skip(first).limit(max).collect(Collectors.toList());
}
protected final List<ClientRole> mapping(Predicate<RoleModel> predicate, Predicate<RoleModel> authPredicate, long first, long max, final String search) {
return mapping(predicate, authPredicate).filter(clientRole -> clientRole.getClient().contains(search) || clientRole.getRole().contains(search))
.skip(first).limit(max).collect(Collectors.toList());
}
}