From fb978de0d85d7c8b2f1f6ce4d9e11509f46d5266 Mon Sep 17 00:00:00 2001
From: Sebastian Schuster <sebastian.schuster@bosch.io>
Date: Wed, 22 Jun 2022 18:19:40 +0200
Subject: [PATCH] 12653 check if fine-grained permissions are enabled before
 retrieving group memberships of users

---
 .../services/resources/admin/permissions/UserPermissions.java   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
index 2835b64a8b..dc5a0d26e9 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
@@ -587,10 +587,12 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme
     }
 
     private boolean canManageByGroup(UserModel user) {
+        if (authz == null) return false;
         return evaluateHierarchy(user, (group) -> root.groups().canManageMembers(group));
 
     }
     private boolean canViewByGroup(UserModel user) {
+        if (authz == null) return false;
         return evaluateHierarchy(user, (group) -> root.groups().getGroupsWithViewPermission(group));
     }