diff --git a/services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java b/services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java index 9fcf88c0f21..57b2460d65b 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java @@ -138,7 +138,11 @@ public class ClientsResource { } else { ClientModel client = realm.getClientByClientId(clientId); if (client != null) { - clientModels = Stream.of(client); + if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) { + clientModels = Stream.of(client).filter(auth.clients()::canView); + } else { + clientModels = Stream.of(client); + } } } diff --git a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java index c68c1a826c1..dc0f129045d 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java @@ -303,6 +303,9 @@ public class UsersResource { session.users().getUserById(realm, search.substring(SEARCH_ID_PARAMETER.length()).trim()); if (userModel != null) { userModels = Stream.of(userModel); + if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) { + userModels = userModels.filter(userPermissionEvaluator::canView); + } } } else { Map attributes = new HashMap<>(); diff --git a/tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/ClientResourceTypeFilteringTest.java b/tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/ClientResourceTypeFilteringTest.java index 180b904dec0..bcc5b9c154b 100644 --- a/tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/ClientResourceTypeFilteringTest.java +++ b/tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/ClientResourceTypeFilteringTest.java @@ -136,4 +136,18 @@ public class ClientResourceTypeFilteringTest extends AbstractPermissionTest { assertFalse(search.isEmpty()); assertTrue(search.stream().map(ClientRepresentation::getId).noneMatch(notAllowedClients::contains)); } + + @Test + public void testSearchByClientId() { + String expectedClientId = "client-0"; + List search = realmAdminClient.realm(realm.getName()).clients().findByClientId(expectedClientId); + assertTrue(search.isEmpty()); + + UserPolicyRepresentation allowPolicy = createUserPolicy(realm, client,"Only My Admin User Policy", realm.admin().users().search("myadmin").get(0).getId()); + createPermission(client, expectedClientId, CLIENTS_RESOURCE_TYPE, Set.of(VIEW), allowPolicy); + search = realmAdminClient.realm(realm.getName()).clients().findByClientId(expectedClientId); + assertFalse(search.isEmpty()); + assertEquals(1, search.size()); + assertEquals(search.get(0).getClientId(), expectedClientId); + } } diff --git a/tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/UserResourceTypeFilteringTest.java b/tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/UserResourceTypeFilteringTest.java index 04ac020a22a..541ddb72233 100644 --- a/tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/UserResourceTypeFilteringTest.java +++ b/tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/UserResourceTypeFilteringTest.java @@ -20,6 +20,7 @@ package org.keycloak.tests.admin.authz.fgap; import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.empty; +import static org.hamcrest.Matchers.hasSize; import static org.hamcrest.Matchers.not; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; @@ -337,4 +338,18 @@ public class UserResourceTypeFilteringTest extends AbstractPermissionTest { assertThat(realmAdminClient.realm(realm.getName()).users().list(), not(empty())); } + + @Test + public void testSearchById() { + UserRepresentation expected = realm.admin().users().search("user-0").get(0); + assertThat(realmAdminClient.realm(realm.getName()).users().search("id:" + expected.getId(), -1, -1), hasSize(0)); + UserPolicyRepresentation negativePolicy = createUserPolicy(realm, client,"Only My Admin User Policy", realm.admin().users().search("myadmin").get(0).getId()); + createPermission(client, expected.getId(), USERS_RESOURCE_TYPE, Set.of(VIEW), negativePolicy); + List search = realmAdminClient.realm(realm.getName()).users().search(null, 0, 10); + assertFalse(search.isEmpty()); + assertThat(search, Matchers.hasSize(1)); + UserRepresentation user = search.get(0); + assertThat(user.getUsername(), Matchers.is("user-0")); + assertThat(realmAdminClient.realm(realm.getName()).users().search("id:" + user.getId(), -1, -1), hasSize(1)); + } }