Returning email as username setting for admins

Fixes #17591
2023-03-27 11:50:16 -03:00 · 2023-03-27 11:50:16 -03:00 · a9c605750d
commit a9c605750d
parent cda0c9dce0
4 changed files with 22 additions and 3 deletions
--- a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
@ -360,6 +360,10 @@ public class RealmAdminResource {
            RealmRepresentation rep = new RealmRepresentation();
            rep.setRealm(realm.getName());

+            if (auth.users().canView()) {
+                rep.setRegistrationEmailAsUsername(realm.isRegistrationEmailAsUsername());
+            }
+
            if (auth.realm().canViewIdentityProviders()) {
                RealmRepresentation r = ModelToRepresentation.toRepresentation(session, realm, false);
                rep.setIdentityProviders(r.getIdentityProviders());
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmPermissions.java
@ -77,7 +77,7 @@ class RealmPermissions implements RealmPermissionEvaluator {

    @Override
    public boolean canListRealms() {
-        return canViewRealm() || root.hasOneAdminRole(AdminRoles.ALL_QUERY_ROLES);
+        return root.isAdmin();
    }

    @Override
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
@ -331,7 +331,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
        if (canView(container)) {
            return true;
        } else if (container instanceof RealmModel) {
-            return root.realm().canListRealms();
+            return root.realm().canViewRealm() || root.hasOneAdminRole(AdminRoles.ALL_QUERY_ROLES);
        } else {
            return root.clients().canList((ClientModel)container);
        }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
@ -297,7 +297,22 @@ public class PermissionsTest extends AbstractKeycloakTest {
                realm.toRepresentation();
            }
        }, Resource.REALM, false, true);
-        assertGettersEmpty(clients.get(AdminRoles.QUERY_REALMS).realm(REALM_NAME).toRepresentation());
+
+        {
+            RealmRepresentation realm = clients.get(AdminRoles.QUERY_REALMS).realm(REALM_NAME).toRepresentation();
+            assertGettersEmpty(realm);
+            assertNull(realm.isRegistrationEmailAsUsername());
+
+            realm = clients.get(AdminRoles.VIEW_USERS).realm(REALM_NAME).toRepresentation();
+            assertNotNull(realm.isRegistrationEmailAsUsername());
+
+            realm = clients.get(AdminRoles.MANAGE_USERS).realm(REALM_NAME).toRepresentation();
+            assertNotNull(realm.isRegistrationEmailAsUsername());
+
+            // query users only if granted through fine-grained admin
+            realm = clients.get(AdminRoles.QUERY_USERS).realm(REALM_NAME).toRepresentation();
+            assertNull(realm.isRegistrationEmailAsUsername());
+        }

        // this should pass given that users granted with "query" roles are allowed to access the realm with limited access
        for (String role : AdminRoles.ALL_QUERY_ROLES) {