Details
-
Bug
-
Resolution: Done
-
Major
-
RH-SSO-7.2.4.GA
-
Keycloak Sprint 12, Keycloak Sprint 13
Description
A user, which has only the role “query-users”, should not be able to list all clients.
First look in the source code:
org.keycloak.services.resources.admin.ClientsResource#getClients if (clientId == null || clientId.trim().equals("")) { auth.clients().requireList(); org.keycloak.services.resources.admin.permissions.ClientPermissions#canList: root.hasAnyAdminRole(); org.keycloak.services.resources.admin.permissions.MgmtPermissions#hasAnyAdminRole AdminRoles.ALL_REALM_ROLES org.keycloak.models.AdminRoles public static String[] ALL_REALM_ROLES = {CREATE_CLIENT, VIEW_REALM, VIEW_USERS, VIEW_CLIENTS, VIEW_EVENTS, VIEW_IDENTITY_PROVIDERS, VIEW_AUTHORIZATION, MANAGE_REALM, MANAGE_USERS, MANAGE_CLIENTS, MANAGE_EVENTS, MANAGE_IDENTITY_PROVIDERS, MANAGE_AUTHORIZATION, QUERY_USERS, QUERY_CLIENTS, QUERY_REALMS, QUERY_GROUPS};
-> so it is possible to query clients if the user has one of the roles listed in the ALL_REALM_ROLES array.
Attachments
Issue Links
- is related to
-
-
- Closed
-