Make sure searches by identifiers are filtered

Closes #38679 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2026-02-12 10:19:13 -06:00 · 2025-04-07 09:59:43 -03:00
parent a4ca92ab4d
commit d98ca0a2a2
4 changed files with 37 additions and 1 deletions
--- a/services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java
@@ -138,7 +138,11 @@ public class ClientsResource {
        } else {
            ClientModel client = realm.getClientByClientId(clientId);
            if (client != null) {
-                clientModels = Stream.of(client);
+                if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) {
+                    clientModels = Stream.of(client).filter(auth.clients()::canView);
+                } else {
+                    clientModels = Stream.of(client);
+                }
            }
        }

--- a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java
@@ -303,6 +303,9 @@ public class UsersResource {
                        session.users().getUserById(realm, search.substring(SEARCH_ID_PARAMETER.length()).trim());
                if (userModel != null) {
                    userModels = Stream.of(userModel);
+                    if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) {
+                        userModels = userModels.filter(userPermissionEvaluator::canView);
+                    }
                }
            } else {
                Map<String, String> attributes = new HashMap<>();