Unable to view childgroup users with view-members permission on the parent group #16966
Open
2 tasks done
Labels
Milestone
Before reporting an issue
Area
admin/fine-grained-permissions
Describe the bug
When having the
view-members
permission on a parent group I am unable to view the users of the corresponding child groups. As there is code that should allow this, I suspect there is a bug.My guess would be it has something to do with this section here:
keycloak/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/BruteForceUsersResource.java
Lines 148 to 154 in 017ddc6
While debugging I found out that here only the ID for the parent group is returned and then applied to the session.
getGroupsWithViewPermission()
does not return the IDs of child groups. This again is then used as a filter in theJpaUserProvider
. In the response of thesearchForUserStream(...)
call I can not see the users of the child groups.Same applies for service account users accessing the /users endpoint. Only users of the parent group are returned.
Version
20.0.3
Expected behavior
The user should be able to see all users that are members of the parent and child groups.
Actual behavior
The user only sees the users that are members of groups he has the view-members permission for (in this case the parent itself).
How to Reproduce?
query-users
and usernameparent_group_manager
parent
child
parent
parent_group_manager
view-members
permission of theparent
groupchild
groupparent_group_manager
Anything else?
No response
The text was updated successfully, but these errors were encountered: