New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Admin Console: Realm Dropdown should only show the realms the user has access to #25392
Closed
1 task done
Labels
area/admin/ui
impact/medium
kind/bug
Categorizes a PR related to a bug
release/23.0.5
release/24.0.0
team/ui
Comments
I have reproduced this. |
edewit
added a commit
to edewit/keycloak
that referenced
this issue
Dec 11, 2023
edewit
added a commit
to edewit/keycloak
that referenced
this issue
Dec 14, 2023
fixes: keycloak#25392 Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
1 task
hmlnarik
pushed a commit
that referenced
this issue
Jan 2, 2024
hmlnarik
pushed a commit
to hmlnarik/keycloak
that referenced
this issue
Jan 2, 2024
… not leaked to users without the appropriate permissions. keycloak#25679 (keycloak#25683) Closes: keycloak#25392 Closes: keycloak#25679 Signed-off-by: Garth <244253+xgp@users.noreply.github.com> (cherry picked from commit 9be7f0e)
@hmlnarik this seems like a candidate for a v23 backport, WDYT? |
When will 23.0.5 or the backports be released? |
Shouldn't a CVE ID be requested for this? |
kamontat
pushed a commit
to kamontat/keycloak
that referenced
this issue
Jan 20, 2024
… not leaked to users without the appropriate permissions. keycloak#25679 (keycloak#25683) Closes: keycloak#25392 Closes: keycloak#25679 Signed-off-by: Garth <244253+xgp@users.noreply.github.com> Signed-off-by: Kamontat Chantrachirathumrong <14089557+kamontat@users.noreply.github.com>
ShefeeqPM
pushed a commit
to ShefeeqPM/keycloak
that referenced
this issue
Jan 27, 2024
… not leaked to users without the appropriate permissions. keycloak#25679 (keycloak#25683) Closes: keycloak#25392 Closes: keycloak#25679 Signed-off-by: Garth <244253+xgp@users.noreply.github.com> Signed-off-by: ShefeeqPM <86718986+ShefeeqPM@users.noreply.github.com>
ahus1
pushed a commit
to ahus1/keycloak
that referenced
this issue
Mar 22, 2024
… not leaked to users without the appropriate permissions. keycloak#25679 (keycloak#25683) Closes: keycloak#25392 Closes: keycloak#25679 Signed-off-by: Garth <244253+xgp@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/admin/ui
impact/medium
kind/bug
Categorizes a PR related to a bug
release/23.0.5
release/24.0.0
team/ui
Before reporting an issue
Area
admin/ui
Describe the bug
Follow up of discussion: #25342
Basically when accessing a realm specific admin console the user sees all the realms available on the keycloak instance, even though the user does not have access to those.
This seems to be a regression with version 23, as this was not the case with v22 and prior.
Version
23.0.1
Expected behavior
Admin should only see the realms he has access to. For non-master realm admin consoles there might not be a dropdown necessary at all (as only master realm admins can have cross realm permissions afaik).
Actual behavior
In the realm specific admin console the admin can see all realms available on the keycloak instance. Even the once he does not have access to.
How to Reproduce?
Anything else?
Looks like the newly introduced endpoint for listing the realms for the dropdown does not filter on the user permissions at all:
keycloak/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java
Lines 48 to 51 in 925c557
The text was updated successfully, but these errors were encountered: