fixed fine grain permissions (#16668)

fixes: #3700
2023-01-28 16:13:53 +01:00 · 2023-01-28 16:13:53 +01:00 · 6736f31952
commit 6736f31952
parent 5f8ee1c49d
3 changed files with 15 additions and 5 deletions
--- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java
+++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java
@ -65,7 +65,7 @@ public class AvailableRoleMappingResource extends RoleMappingResource {
            throw new NotFoundException("Could not find client scope");
        } else {
            this.auth.clients().requireView(scopeModel);
-            return this.mapping(((Predicate<RoleModel>) scopeModel::hasDirectScope).negate(), first, max, search);
+            return this.mapping(((Predicate<RoleModel>) scopeModel::hasDirectScope).negate(), auth.roles()::canMapClientScope, first, max, search);
        }
    }

--- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/EffectiveRoleMappingResource.java
+++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/EffectiveRoleMappingResource.java
@ -60,7 +60,7 @@ public class EffectiveRoleMappingResource extends RoleMappingResource {
        }

        this.auth.clients().requireView(clientScope);
-        return this.mapping(clientScope::hasScope).collect(Collectors.toList());
+        return this.mapping(clientScope::hasScope, auth.roles()::canMapClientScope).collect(Collectors.toList());
    }

    @GET
--- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/RoleMappingResource.java
+++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/RoleMappingResource.java
@ -21,13 +21,23 @@ public abstract class RoleMappingResource {
        this.auth = auth;
    }

-    public final Stream<ClientRole> mapping(Predicate<RoleModel> predicate) {
+    protected final Stream<ClientRole> mapping(Predicate<RoleModel> predicate) {
        return realm.getClientsStream().flatMap(RoleContainerModel::getRolesStream).filter(predicate)
-                .filter(auth.roles()::canMapClientScope).map(roleModel -> convertToModel(roleModel, realm.getClientsStream()));
+                .filter(auth.roles()::canMapRole).map(roleModel -> convertToModel(roleModel, realm.getClientsStream()));
    }

-    public final List<ClientRole> mapping(Predicate<RoleModel> predicate, long first, long max, final String search) {
+    protected final Stream<ClientRole> mapping(Predicate<RoleModel> predicate, Predicate<RoleModel> authPredicate) {
+        return realm.getClientsStream().flatMap(RoleContainerModel::getRolesStream).filter(predicate)
+                .filter(authPredicate).map(roleModel -> convertToModel(roleModel, realm.getClientsStream()));
+    }
+
+    protected final List<ClientRole> mapping(Predicate<RoleModel> predicate, long first, long max, final String search) {
        return mapping(predicate).filter(clientRole -> clientRole.getClient().contains(search) || clientRole.getRole().contains(search))
                .skip(first).limit(max).collect(Collectors.toList());
    }
+
+    protected final List<ClientRole> mapping(Predicate<RoleModel> predicate, Predicate<RoleModel> authPredicate, long first, long max, final String search) {
+        return mapping(predicate, authPredicate).filter(clientRole -> clientRole.getClient().contains(search) || clientRole.getRole().contains(search))
+                .skip(first).limit(max).collect(Collectors.toList());
+    }
 }