Users without view-realm can't see user lockout state in Admin UI #34065
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
admin/ui
Describe the bug
If a user has view-users, query-users, query-groups and manage-users roles but not view-realm (in realm-management), they are unable to see user lockout state in Admin UI.
This set of realm-management permissions is common for a user in a "customer support" role. One of the use cases for this persona is the ability to see and toggle user lockout state.
Version
26.0.0
Regression
- The issue is a regression
Expected behavior
The user should be able to see:
and toggle lockout state:
Actual behavior
The lockout state and toggle is hidden from the user.
How to Reproduce?
- create a realm
- create a user1 in that realm with
view-users,query-users,query-groupsandmanage-usersroles - create a separate user2 with no other roles
- configure brute force detection for a small number of failed logins to produce a temporary lockout
- attempt to login as user2 to the account console with a bad password > than the failed login threshold
- log into the new realm's security admin console using the user1 you created
- find the user in the Users tab. see that you can't see the lockout state in the list.
- click on the user. see that you can't see the lockout toggle in the form
Anything else?
Relevant code is in the EditUser.tsx form, where it looks in the realm to see if it has the bruteForceProtected flag enabled:
https://github.com/keycloak/keycloak/blob/26.0.0/js/apps/admin-ui/src/user/EditUser.tsx#L156
Which it doesn't when the user lacks view-realm, because the RealmAdminResource only allows a few realm attributes:
https://github.com/keycloak/keycloak/blob/26.0.0/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java#L381-L390