Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to view childgroup users with view-members permission on the parent group #16966

Open
2 tasks done
antikalk opened this issue Feb 9, 2023 · 1 comment
Open
2 tasks done

Unable to view childgroup users with view-members permission on the parent group #16966

antikalk opened this issue Feb 9, 2023 · 1 comment
Labels
area/admin/fine-grained-permissions kind/enhancement Categorizes a PR related to an enhancement
Milestone
Backlog

Comments

@antikalk
Copy link
Contributor

antikalk commented Feb 9, 2023
edited

Before reporting an issue

  • I have searched existing issues
  • I have reproduced the issue with the latest release

Area

admin/fine-grained-permissions

Describe the bug

When having the view-members permission on a parent group I am unable to view the users of the corresponding child groups. As there is code that should allow this, I suspect there is a bug.

My guess would be it has something to do with this section here:

keycloak/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/BruteForceUsersResource.java

Lines 148 to 154 in 017ddc6

if (!auth.users().canView()) {
Set<String> groupModels = auth.groups().getGroupsWithViewPermission();
if (!groupModels.isEmpty()) {
session.setAttribute(UserModel.GROUPS, groupModels);
}
}

While debugging I found out that here only the ID for the parent group is returned and then applied to the session. getGroupsWithViewPermission() does not return the IDs of child groups. This again is then used as a filter in the JpaUserProvider. In the response of the searchForUserStream(...) call I can not see the users of the child groups.

Same applies for service account users accessing the /users endpoint. Only users of the parent group are returned.

Version

20.0.3

Expected behavior

The user should be able to see all users that are members of the parent and child groups.

Actual behavior

The user only sees the users that are members of groups he has the view-members permission for (in this case the parent itself).

How to Reproduce?

  1. Create a user with role query-users and username parent_group_manager
  2. Create group with name parent
  3. Create subgroup of group parent with the name child
  4. Now enable permissions for group parent
  5. Add a user policy for the created user parent_group_manager
  6. Add this policy to the view-members permission of the parent group
  7. Add some users to the child group
  8. Login in the admin-ui as the user parent_group_manager
  9. Head to the users page and see it is empty...

Anything else?

No response
@antikalk antikalk added kind/bug Categorizes a PR related to a bug status/triage labels Feb 9, 2023
antikalk added a commit to antikalk/keycloak that referenced this issue Feb 15, 2023
@antikalk
keycloak#16966 Unable to view childgroup users with view-members perm…
dfc747f 
…ission on the parent group
@pedroigor pedroigor added this to the Backlog milestone Feb 16, 2023
@pedroigor pedroigor added kind/enhancement Categorizes a PR related to an enhancement and removed kind/bug Categorizes a PR related to a bug labels Feb 16, 2023
@antikalk
Copy link
Contributor Author

I have created a branch in which I try to address the issue: https://github.com/antikalk/keycloak/tree/issue-16966

Unfortunately this requires me to remove the check if a resource exists for a given group id in the JpaUserStorage. It would be cool if someone could have a look at it and provide feedback :)

antikalk added a commit to antikalk/keycloak that referenced this issue Feb 20, 2023
@antikalk
keycloak#16966 Unable to view childgroup users with view-members perm…
dea41c7 
…ission on t…
@antikalk antikalk mentioned this issue Feb 20, 2023
Closed
antikalk added a commit to antikalk/keycloak that referenced this issue Mar 2, 2023
@antikalk
keycloak#16966 Unable to view childgroup users with view-members perm…
16c4fac 
…ission on the parent group
antikalk added a commit to antikalk/keycloak that referenced this issue Mar 2, 2023
@antikalk
keycloak#16966 Unable to view childgroup users with view-members perm…
17078ac 
…ission on t…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/admin/fine-grained-permissions kind/enhancement Categorizes a PR related to an enhancement
Projects
None yet
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

Inherit view-members permission to childgroups antikalk/keycloak
2 participants
@pedroigor @antikalk