fixed fine grain permissions (#16668)

fixes: #3700

rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java

@@ -65,7 +65,7 @@ public class AvailableRoleMappingResource extends RoleMappingResource {
             throw new NotFoundException("Could not find client scope");
         } else {
             this.auth.clients().requireView(scopeModel);
-            return this.mapping(((Predicate<RoleModel>) scopeModel::hasDirectScope).negate(), first, max, search);
+            return this.mapping(((Predicate<RoleModel>) scopeModel::hasDirectScope).negate(), auth.roles()::canMapClientScope, first, max, search);
         }
     }
 

rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/EffectiveRoleMappingResource.java

@@ -60,7 +60,7 @@ public class EffectiveRoleMappingResource extends RoleMappingResource {
         }
 
         this.auth.clients().requireView(clientScope);
-        return this.mapping(clientScope::hasScope).collect(Collectors.toList());
+        return this.mapping(clientScope::hasScope, auth.roles()::canMapClientScope).collect(Collectors.toList());
     }
 
     @GET

rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/RoleMappingResource.java

@@ -21,13 +21,23 @@ public abstract class RoleMappingResource {
         this.auth = auth;
     }
 
-    public final Stream<ClientRole> mapping(Predicate<RoleModel> predicate) {
+    protected final Stream<ClientRole> mapping(Predicate<RoleModel> predicate) {
         return realm.getClientsStream().flatMap(RoleContainerModel::getRolesStream).filter(predicate)
-                .filter(auth.roles()::canMapClientScope).map(roleModel -> convertToModel(roleModel, realm.getClientsStream()));
+                .filter(auth.roles()::canMapRole).map(roleModel -> convertToModel(roleModel, realm.getClientsStream()));
     }
 
-    public final List<ClientRole> mapping(Predicate<RoleModel> predicate, long first, long max, final String search) {
+    protected final Stream<ClientRole> mapping(Predicate<RoleModel> predicate, Predicate<RoleModel> authPredicate) {
+        return realm.getClientsStream().flatMap(RoleContainerModel::getRolesStream).filter(predicate)
+                .filter(authPredicate).map(roleModel -> convertToModel(roleModel, realm.getClientsStream()));
+    }
+
+    protected final List<ClientRole> mapping(Predicate<RoleModel> predicate, long first, long max, final String search) {
         return mapping(predicate).filter(clientRole -> clientRole.getClient().contains(search) || clientRole.getRole().contains(search))
                 .skip(first).limit(max).collect(Collectors.toList());
     }
+
+    protected final List<ClientRole> mapping(Predicate<RoleModel> predicate, Predicate<RoleModel> authPredicate, long first, long max, final String search) {
+        return mapping(predicate, authPredicate).filter(clientRole -> clientRole.getClient().contains(search) || clientRole.getRole().contains(search))
+                .skip(first).limit(max).collect(Collectors.toList());
+    }
 }