KEYCLOAK-10782: Credentials tab on clients can only be displayed with view-realm
This commit is contained in:
parent
f2ab8d97c0
commit
a726e625e9
4 changed files with 37 additions and 3 deletions
|
@ -135,7 +135,7 @@ public class AuthenticationManagementResource {
|
|||
@NoCache
|
||||
@Produces(MediaType.APPLICATION_JSON)
|
||||
public List<Map<String, Object>> getClientAuthenticatorProviders() {
|
||||
auth.realm().requireViewRealm();
|
||||
auth.realm().requireViewClientAuthenticatorProviders();
|
||||
|
||||
List<ProviderFactory> factories = session.getKeycloakSessionFactory().getProviderFactories(ClientAuthenticator.class);
|
||||
return buildProviderMetadata(factories);
|
||||
|
@ -1095,7 +1095,7 @@ public class AuthenticationManagementResource {
|
|||
@Produces(MediaType.APPLICATION_JSON)
|
||||
@NoCache
|
||||
public Map<String, List<ConfigPropertyRepresentation>> getPerClientConfigDescription() {
|
||||
auth.realm().requireViewRealm();
|
||||
auth.realm().requireViewClientAuthenticatorProviders();
|
||||
|
||||
List<ProviderFactory> factories = session.getKeycloakSessionFactory().getProviderFactories(ClientAuthenticator.class);
|
||||
|
||||
|
@ -1205,4 +1205,4 @@ public class AuthenticationManagementResource {
|
|||
realm.updateAuthenticatorConfig(exists);
|
||||
adminEvent.operation(OperationType.UPDATE).resource(ResourceType.AUTHENTICATOR_CONFIG).resourcePath(session.getContext().getUri()).representation(rep).success();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -62,4 +62,6 @@ public interface RealmPermissionEvaluator {
|
|||
void requireViewRequiredActions();
|
||||
|
||||
void requireViewAuthenticationFlows();
|
||||
|
||||
void requireViewClientAuthenticatorProviders();
|
||||
}
|
||||
|
|
|
@ -197,5 +197,11 @@ class RealmPermissions implements RealmPermissionEvaluator {
|
|||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void requireViewClientAuthenticatorProviders() {
|
||||
if (!(canViewRealm() || root.hasOneAdminRole(AdminRoles.QUERY_CLIENTS, AdminRoles.VIEW_CLIENTS, AdminRoles.MANAGE_CLIENTS))) {
|
||||
throw new ForbiddenException();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -764,6 +764,32 @@ public class PermissionsTest extends AbstractKeycloakTest {
|
|||
realm.flows().getFlows();
|
||||
}
|
||||
}, clients.get(AdminRoles.QUERY_CLIENTS), true);
|
||||
// the same for ClientAuthenticatorProviders and PerClientConfigDescription
|
||||
invoke(new Invocation() {
|
||||
public void invoke(RealmResource realm) {
|
||||
realm.flows().getClientAuthenticatorProviders();
|
||||
}
|
||||
}, clients.get(AdminRoles.QUERY_CLIENTS), true);
|
||||
invoke(new Invocation() {
|
||||
public void invoke(RealmResource realm) {
|
||||
realm.flows().getClientAuthenticatorProviders();
|
||||
}
|
||||
}, clients.get(AdminRoles.VIEW_CLIENTS), true);
|
||||
invoke(new Invocation() {
|
||||
public void invoke(RealmResource realm) {
|
||||
realm.flows().getClientAuthenticatorProviders();
|
||||
}
|
||||
}, clients.get(AdminRoles.MANAGE_CLIENTS), true);
|
||||
invoke(new Invocation() {
|
||||
public void invoke(RealmResource realm) {
|
||||
realm.flows().getClientAuthenticatorProviders();
|
||||
}
|
||||
}, clients.get(AdminRoles.QUERY_USERS), false);
|
||||
invoke(new Invocation() {
|
||||
public void invoke(RealmResource realm) {
|
||||
realm.flows().getPerClientConfigDescription();
|
||||
}
|
||||
}, clients.get(AdminRoles.QUERY_CLIENTS), true);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
Loading…
Reference in a new issue