Merge pull request #2926 from mposolda/master

KEYCLOAK-3105 Can't access single realm with the admin user from mast…

services/src/main/java/org/keycloak/services/resources/admin/RealmsAdminResource.java

@@ -105,15 +105,16 @@ public class RealmsAdminResource {
             ClientModel adminApp = auth.getRealm().getClientByClientId(realmManager.getRealmAdminClientId(auth.getRealm()));
             addRealmRep(reps, auth.getRealm(), adminApp);
         }
+
+        if (reps.isEmpty()) {
+            throw new ForbiddenException();
+        }
+
         logger.debug(("getRealms()"));
         return reps;
     }
 
     protected void addRealmRep(List<RealmRepresentation> reps, RealmModel realm, ClientModel realmManagementClient) {
-        if (!auth.hasOneOfAppRole(realmManagementClient, AdminRoles.ALL_REALM_ROLES)) {
-            throw new ForbiddenException();
-        }
-
         if (auth.hasAppRole(realmManagementClient, AdminRoles.VIEW_REALM)) {
             reps.add(ModelToRepresentation.toRepresentation(realm, false));
         } else if (auth.hasOneOfAppRole(realmManagementClient, AdminRoles.ALL_REALM_ROLES)) {

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java

@@ -182,6 +182,15 @@ public class PermissionsTest extends AbstractKeycloakTest {
         Assert.assertNames(realms, REALM_NAME);
         assertNotNull(realms.get(0).getAccessTokenLifespan());
 
+        // Check the same when access with users from 'master' realm
+        realms = clients.get("master-" + AdminRoles.VIEW_USERS).realms().findAll();
+        Assert.assertNames(realms, REALM_NAME);
+        assertGettersEmpty(realms.get(0));
+
+        realms = clients.get("master-" + AdminRoles.VIEW_REALM).realms().findAll();
+        Assert.assertNames(realms, REALM_NAME);
+        assertNotNull(realms.get(0).getAccessTokenLifespan());
+
         // Create realm
         invoke(new Invocation() {
             public void invoke(RealmResource realm) {