fixed permissions for locale fetch (#23078)

fixes: #23065
This commit is contained in:
Erik Jan de Wit 2023-09-11 21:00:40 +02:00 committed by GitHub
parent d34a371971
commit c7dcef7af8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -26,6 +26,7 @@ import org.keycloak.http.FormPartValue;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException; import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.services.ForbiddenException;
import org.keycloak.services.resources.KeycloakOpenAPI; import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator; import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
@ -48,6 +49,7 @@ import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam; import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.MediaType; import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.MultivaluedMap; import jakarta.ws.rs.core.MultivaluedMap;
import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.util.JsonSerialization; import org.keycloak.util.JsonSerialization;
import org.keycloak.utils.StringUtil; import org.keycloak.utils.StringUtil;
@ -157,7 +159,9 @@ public class RealmLocalizationResource {
@Operation() @Operation()
public Map<String, String> getRealmLocalizationTexts(@PathParam("locale") String locale, public Map<String, String> getRealmLocalizationTexts(@PathParam("locale") String locale,
@Deprecated @QueryParam("useRealmDefaultLocaleFallback") Boolean useFallback) { @Deprecated @QueryParam("useRealmDefaultLocaleFallback") Boolean useFallback) {
auth.requireAnyAdminRole(); if (!AdminPermissions.realms(session, auth.adminAuth()).isAdmin()) {
throw new ForbiddenException();
}
// this fallback is no longer needed since the fix for #15845, don't forget to remove it from the API // this fallback is no longer needed since the fix for #15845, don't forget to remove it from the API
if (useFallback != null && useFallback) { if (useFallback != null && useFallback) {