From c7dcef7af822f3972d746298b553e4599c2fcd98 Mon Sep 17 00:00:00 2001 From: Erik Jan de Wit Date: Mon, 11 Sep 2023 21:00:40 +0200 Subject: [PATCH] fixed permissions for locale fetch (#23078) fixes: #23065 --- .../services/resources/admin/RealmLocalizationResource.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/services/src/main/java/org/keycloak/services/resources/admin/RealmLocalizationResource.java b/services/src/main/java/org/keycloak/services/resources/admin/RealmLocalizationResource.java index 8c2279e55f..bde81b0958 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/RealmLocalizationResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/RealmLocalizationResource.java @@ -26,6 +26,7 @@ import org.keycloak.http.FormPartValue; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ModelDuplicateException; import org.keycloak.models.RealmModel; +import org.keycloak.services.ForbiddenException; import org.keycloak.services.resources.KeycloakOpenAPI; import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator; @@ -48,6 +49,7 @@ import jakarta.ws.rs.Produces; import jakarta.ws.rs.QueryParam; import jakarta.ws.rs.core.MediaType; import jakarta.ws.rs.core.MultivaluedMap; +import org.keycloak.services.resources.admin.permissions.AdminPermissions; import org.keycloak.util.JsonSerialization; import org.keycloak.utils.StringUtil; @@ -157,7 +159,9 @@ public class RealmLocalizationResource { @Operation() public Map getRealmLocalizationTexts(@PathParam("locale") String locale, @Deprecated @QueryParam("useRealmDefaultLocaleFallback") Boolean useFallback) { - auth.requireAnyAdminRole(); + if (!AdminPermissions.realms(session, auth.adminAuth()).isAdmin()) { + throw new ForbiddenException(); + } // this fallback is no longer needed since the fix for #15845, don't forget to remove it from the API if (useFallback != null && useFallback) {