Merge pull request #2926 from mposolda/master

KEYCLOAK-3105 Can't access single realm with the admin user from mast…
This commit is contained in:
Stian Thorgersen 2016-06-13 14:50:19 +02:00 committed by GitHub
commit bdaba4c85a
2 changed files with 14 additions and 4 deletions

View file

@ -105,15 +105,16 @@ public class RealmsAdminResource {
ClientModel adminApp = auth.getRealm().getClientByClientId(realmManager.getRealmAdminClientId(auth.getRealm())); ClientModel adminApp = auth.getRealm().getClientByClientId(realmManager.getRealmAdminClientId(auth.getRealm()));
addRealmRep(reps, auth.getRealm(), adminApp); addRealmRep(reps, auth.getRealm(), adminApp);
} }
if (reps.isEmpty()) {
throw new ForbiddenException();
}
logger.debug(("getRealms()")); logger.debug(("getRealms()"));
return reps; return reps;
} }
protected void addRealmRep(List<RealmRepresentation> reps, RealmModel realm, ClientModel realmManagementClient) { protected void addRealmRep(List<RealmRepresentation> reps, RealmModel realm, ClientModel realmManagementClient) {
if (!auth.hasOneOfAppRole(realmManagementClient, AdminRoles.ALL_REALM_ROLES)) {
throw new ForbiddenException();
}
if (auth.hasAppRole(realmManagementClient, AdminRoles.VIEW_REALM)) { if (auth.hasAppRole(realmManagementClient, AdminRoles.VIEW_REALM)) {
reps.add(ModelToRepresentation.toRepresentation(realm, false)); reps.add(ModelToRepresentation.toRepresentation(realm, false));
} else if (auth.hasOneOfAppRole(realmManagementClient, AdminRoles.ALL_REALM_ROLES)) { } else if (auth.hasOneOfAppRole(realmManagementClient, AdminRoles.ALL_REALM_ROLES)) {

View file

@ -182,6 +182,15 @@ public class PermissionsTest extends AbstractKeycloakTest {
Assert.assertNames(realms, REALM_NAME); Assert.assertNames(realms, REALM_NAME);
assertNotNull(realms.get(0).getAccessTokenLifespan()); assertNotNull(realms.get(0).getAccessTokenLifespan());
// Check the same when access with users from 'master' realm
realms = clients.get("master-" + AdminRoles.VIEW_USERS).realms().findAll();
Assert.assertNames(realms, REALM_NAME);
assertGettersEmpty(realms.get(0));
realms = clients.get("master-" + AdminRoles.VIEW_REALM).realms().findAll();
Assert.assertNames(realms, REALM_NAME);
assertNotNull(realms.get(0).getAccessTokenLifespan());
// Create realm // Create realm
invoke(new Invocation() { invoke(new Invocation() {
public void invoke(RealmResource realm) { public void invoke(RealmResource realm) {