-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot access subgroups with just "view-users" role except in new tab - javascript error #17861
Comments
I know view-users is a composite role of query-groups. This does not affect the bug report in any way. |
Moving this issue to keycloak-ui repo. |
Any thoughts on the correct behavior? Should the subgroups contain the "access" key or should the interface not require it? |
@Leaveyou Sorry it has taken some time to get around to doing the analysis for this one. Yes, the subgroups should include the
|
@edewit I'm assigning this to you since it deals with the REST extensions. I am attaching a test realm you can import to see the bug. If you log in to the test realm as user The call to Then when this line is called, the crash happens: https://github.com/keycloak/keycloak-ui/blob/60d10d88bd979d998d923d7acd5af954cf12e263/apps/admin-ui/src/groups/Members.tsx#L50 @edewit Note that this realm has a different configuration than the one for the other test realm I sent you. |
Much love <3 |
@Leaveyou The fix should be in the latest nightly build. Would be great if you could try it out and make sure it works for your exact configuration. Please let us know how it goes if you can try it. |
Before reporting an issue
Area
admin/ui
Describe the bug
In the new admin theme, if my user has the 'view-users' role of the realm-management client I am able to see and access the "Users" and "Groups" menu items. I can access them and list groups, but I am not able to click on a subgroup due to error "
r().access is undefined
"I am however able to list the subgroup contents in a new tab by middle-clicking
I can also list the subgroups if I have the "manage-users" role but that is not an option for me since it allows editing user details.
Version
20.0.0
Expected behavior
There should be consistency in subgroup listing. If I can list all groups with the "view-users" role, I should be able to view groups as well as subgroups.
Actual behavior
Subgroups can only be viewed in new tab due to javascript error related to missing "access" key on subgroups.
r().access is undefined
How to Reproduce?
r().access is undefined
Anything else?
I have investigate requests and it seems when listing groups the first request done is:
realms/Bug/admin-ui-groups?search=&first=0&max=101&global=false
This returns a list of groups containing keys including "
subgroups
" and "access
"In our case, since we only have the 'view-users' role, the access key contains the following:
However the child group contains no such key:
Now the weird thing is, if I give the user the role "
manage-users
", the access key of the parent becomes:And it allows clicking on the Child group although this child still doesn't have the "access" key.
I think
"manage": true
circumvents that bug but it isn't an option for me.It's also not an option to use older theme, since it lacks the functionality to add users into groups in the group listing entirely.
Background - fyi
My use case is the following: I want to have users be able to see and browse through groups without being able to edit user details. I will use this functionality with fine-grained permissions in order to have team leaders manage membership of their own groups without letting them edit their users, which is something HR will manage. Setup works. I can add users to subgroups in the users page, but I cannot access the subgroup to add users into it except using "open in new tab"
The text was updated successfully, but these errors were encountered: