commit
b10e7b8c31
2 changed files with 15 additions and 12 deletions
|
@ -136,10 +136,13 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
|
|||
if (root.admin().hasRole(role)) return true;
|
||||
|
||||
ClientModel adminClient = root.getRealmManagementClient();
|
||||
// is this an admin role in 'realm-management' client of the realm we are managing?
|
||||
if (adminClient.equals(role.getContainer())) {
|
||||
// if this is realm admin role, then check to see if admin has similar permissions
|
||||
// we do this so that the authz service is invoked
|
||||
if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)) {
|
||||
if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)
|
||||
|| role.getName().equals(AdminRoles.CREATE_CLIENT)
|
||||
) {
|
||||
if (!root.clients().canManage()) {
|
||||
return adminConflictMessage(role);
|
||||
} else {
|
||||
|
@ -151,6 +154,9 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
|
|||
} else {
|
||||
return true;
|
||||
}
|
||||
|
||||
} else if (role.getName().equals(AdminRoles.QUERY_REALMS)) {
|
||||
return true;
|
||||
} else if (role.getName().equals(AdminRoles.QUERY_CLIENTS)) {
|
||||
return true;
|
||||
} else if (role.getName().equals(AdminRoles.QUERY_USERS)) {
|
||||
|
|
|
@ -658,13 +658,12 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
|
|||
adminClient.realm(TEST).roles().create(composite);
|
||||
composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
|
||||
|
||||
RoleRepresentation compositePart = new RoleRepresentation();
|
||||
compositePart.setName("composite-part");
|
||||
adminClient.realm(TEST).roles().create(compositePart);
|
||||
compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
|
||||
|
||||
ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
|
||||
RoleRepresentation createClient = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
|
||||
RoleRepresentation queryRealms = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.QUERY_REALMS).toRepresentation();
|
||||
List<RoleRepresentation> composites = new LinkedList<>();
|
||||
composites.add(compositePart);
|
||||
composites.add(createClient);
|
||||
composites.add(queryRealms);
|
||||
adminClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
|
||||
}
|
||||
|
||||
|
@ -693,13 +692,11 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
|
|||
realmClient.realm(TEST).roles().create(composite);
|
||||
composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
|
||||
|
||||
RoleRepresentation compositePart = new RoleRepresentation();
|
||||
compositePart.setName("composite-part");
|
||||
realmClient.realm(TEST).roles().create(compositePart);
|
||||
compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
|
||||
ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
|
||||
RoleRepresentation viewUsers = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
|
||||
|
||||
List<RoleRepresentation> composites = new LinkedList<>();
|
||||
composites.add(compositePart);
|
||||
composites.add(viewUsers);
|
||||
realmClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
|
||||
}
|
||||
// testRestEvaluationMasterRealm
|
||||
|
|
Loading…
Reference in a new issue