keycloak-uncached
Changes
services/src/main/java/org/keycloak/services/resources/admin/permissions/AdminPermissions.java 4(+4 -0)
services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java 8(+8 -0)
services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java 8(+7 -1)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountTest.java 36(+30 -6)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java 51(+51 -0)
themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-permissions.html 2(+1 -1)
themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-role-permissions.html 2(+1 -1)
themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/group-permissions.html 2(+1 -1)
themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/realm-role-permissions.html 2(+1 -1)
Details
diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java
index de5fd93..f84d475 100755
--- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java
+++ b/services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java
@@ -19,6 +19,7 @@ package org.keycloak.forms.account.freemarker.model;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.models.ClientModel;
+import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
@@ -27,8 +28,10 @@ import org.keycloak.models.UserConsentModel;
import org.keycloak.models.UserModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.services.managers.UserSessionManager;
+import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import java.util.ArrayList;
+import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
@@ -51,10 +54,17 @@ public class ApplicationsBean {
continue;
}
- Set<RoleModel> availableRoles = TokenManager.getAccess(null, false, client, user);
- // Don't show applications, which user doesn't have access into (any available roles)
- if (availableRoles.isEmpty()) {
- continue;
+ Set<RoleModel> availableRoles = new HashSet<>();
+ if (client.getClientId().equals(Constants.ADMIN_CLI_CLIENT_ID)
+ || client.getClientId().equals(Constants.ADMIN_CONSOLE_CLIENT_ID)) {
+ if (!AdminPermissions.realms(session, realm, user).isAdmin()) continue;
+
+ } else {
+ availableRoles = TokenManager.getAccess(null, false, client, user);
+ // Don't show applications, which user doesn't have access into (any available roles)
+ if (availableRoles.isEmpty()) {
+ continue;
+ }
}
List<RoleModel> realmRolesAvailable = new LinkedList<RoleModel>();
MultivaluedHashMap<String, ClientRoleEntry> resourceRolesAvailable = new MultivaluedHashMap<String, ClientRoleEntry>();
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java b/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java
index e7d611e..02063fa 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java
@@ -562,9 +562,9 @@ public class ClientResource {
@NoCache
public ManagementPermissionReference setManagementPermissionsEnabled(ManagementPermissionReference ref) {
auth.clients().requireManage(client);
- if (ref.isEnabled()) {
- AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
- permissions.clients().setPermissionsEnabled(client, ref.isEnabled());
+ AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
+ permissions.clients().setPermissionsEnabled(client, ref.isEnabled());
+ if (ref.isEnabled()) {
return toMgmtRef(client, permissions);
} else {
return new ManagementPermissionReference();
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/GroupResource.java b/services/src/main/java/org/keycloak/services/resources/admin/GroupResource.java
index 3de46b0..0c0ed89 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/GroupResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/GroupResource.java
@@ -263,9 +263,9 @@ public class GroupResource {
@NoCache
public ManagementPermissionReference setManagementPermissionsEnabled(ManagementPermissionReference ref) {
auth.groups().requireManage(group);
+ AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
+ permissions.groups().setPermissionsEnabled(group, ref.isEnabled());
if (ref.isEnabled()) {
- AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
- permissions.groups().setPermissionsEnabled(group, ref.isEnabled());
return toMgmtRef(group, permissions);
} else {
return new ManagementPermissionReference();
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/AdminPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/AdminPermissions.java
index f809e1d..705b258 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/AdminPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/AdminPermissions.java
@@ -46,6 +46,10 @@ public class AdminPermissions {
return new MgmtPermissions(session, auth);
}
+ public static RealmsPermissionEvaluator realms(KeycloakSession session, RealmModel adminsRealm, UserModel admin) {
+ return new MgmtPermissions(session, adminsRealm, admin);
+ }
+
public static AdminPermissionManagement management(KeycloakSession session, RealmModel realm) {
return new MgmtPermissions(session, realm);
}
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java
index 2df4953..400cee1 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java
@@ -107,6 +107,14 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
this.identity = new KeycloakIdentity(auth.getToken(), session);
}
}
+
+ MgmtPermissions(KeycloakSession session, RealmModel adminsRealm, UserModel admin) {
+ this.session = session;
+ this.admin = admin;
+ this.adminsRealm = adminsRealm;
+ this.identity = new UserModelIdentity(adminsRealm, admin);
+ }
+
MgmtPermissions(KeycloakSession session, RealmModel realm, RealmModel adminsRealm, UserModel admin) {
this(session, realm);
this.admin = admin;
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
index 091d7a5..951e724 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
@@ -136,10 +136,13 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
if (root.admin().hasRole(role)) return true;
ClientModel adminClient = root.getRealmManagementClient();
+ // is this an admin role in 'realm-management' client of the realm we are managing?
if (adminClient.equals(role.getContainer())) {
// if this is realm admin role, then check to see if admin has similar permissions
// we do this so that the authz service is invoked
- if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)) {
+ if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)
+ || role.getName().equals(AdminRoles.CREATE_CLIENT)
+ ) {
if (!root.clients().canManage()) {
return adminConflictMessage(role);
} else {
@@ -151,6 +154,9 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
} else {
return true;
}
+
+ } else if (role.getName().equals(AdminRoles.QUERY_REALMS)) {
+ return true;
} else if (role.getName().equals(AdminRoles.QUERY_CLIENTS)) {
return true;
} else if (role.getName().equals(AdminRoles.QUERY_USERS)) {
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java b/services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java
index 79bb6c8..7ad9d22 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java
@@ -364,9 +364,9 @@ public class RoleContainerResource extends RoleResource {
throw new NotFoundException("Could not find role");
}
+ AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
+ permissions.roles().setPermissionsEnabled(role, ref.isEnabled());
if (ref.isEnabled()) {
- AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
- permissions.roles().setPermissionsEnabled(role, ref.isEnabled());
return RoleByIdResource.toMgmtRef(role, permissions);
} else {
return new ManagementPermissionReference();
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountTest.java
index eba81f4..d817f90 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountTest.java
@@ -28,6 +28,9 @@ import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventType;
+import org.keycloak.models.AccountRoles;
+import org.keycloak.models.AdminRoles;
+import org.keycloak.models.Constants;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.utils.TimeBasedOTP;
import org.keycloak.representations.idm.ClientRepresentation;
@@ -78,11 +81,18 @@ public class AccountTest extends AbstractTestRealmKeycloakTest {
//UserRepresentation user = findUserInRealmRep(testRealm, "test-user@localhost");
//ClientRepresentation accountApp = findClientInRealmRep(testRealm, ACCOUNT_MANAGEMENT_CLIENT_ID);
UserRepresentation user2 = UserBuilder.create()
- .enabled(true)
- .username("test-user-no-access@localhost")
- .email("test-user-no-access@localhost")
- .password("password")
- .build();
+ .enabled(true)
+ .username("test-user-no-access@localhost")
+ .email("test-user-no-access@localhost")
+ .password("password")
+ .build();
+ UserRepresentation realmAdmin = UserBuilder.create()
+ .enabled(true)
+ .username("realm-admin")
+ .password("password")
+ .role(Constants.REALM_MANAGEMENT_CLIENT_ID, AdminRoles.REALM_ADMIN)
+ .role(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID, AccountRoles.MANAGE_ACCOUNT)
+ .build();
testRealm.addIdentityProvider(IdentityProviderBuilder.create()
.providerId("github")
@@ -105,7 +115,8 @@ public class AccountTest extends AbstractTestRealmKeycloakTest {
.build());
RealmBuilder.edit(testRealm)
- .user(user2);
+ .user(user2)
+ .user(realmAdmin);
}
private static final UriBuilder BASE = UriBuilder.fromUri("http://localhost:8180/auth");
@@ -870,6 +881,19 @@ public class AccountTest extends AbstractTestRealmKeycloakTest {
}
}
+ // KEYCLOAK-5155
+ @Test
+ public void testConsoleListedInApplications() {
+ applicationsPage.open();
+ loginPage.login("realm-admin", "password");
+ Assert.assertTrue(applicationsPage.isCurrent());
+ Map<String, AccountApplicationsPage.AppEntry> apps = applicationsPage.getApplications();
+ Assert.assertThat(apps.keySet(), hasItems("Admin CLI", "Security Admin Console"));
+ events.clear();
+ }
+
+
+
// More tests (including revoke) are in OAuthGrantTest and OfflineTokenTest
@Test
public void applications() {
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
index 6f463c9..1854e83 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
@@ -650,6 +650,57 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
}
}
+
+ // KEYCLOAK-5152
+ @Test
+ public void testMasterRealmWithComposites() throws Exception {
+ RoleRepresentation composite = new RoleRepresentation();
+ composite.setName("composite");
+ composite.setComposite(true);
+ adminClient.realm(TEST).roles().create(composite);
+ composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
+
+ ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
+ RoleRepresentation createClient = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
+ RoleRepresentation queryRealms = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.QUERY_REALMS).toRepresentation();
+ List<RoleRepresentation> composites = new LinkedList<>();
+ composites.add(createClient);
+ composites.add(queryRealms);
+ adminClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
+ }
+
+ public static void setup5152(KeycloakSession session) {
+ RealmModel realm = session.realms().getRealmByName(TEST);
+ ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
+ RoleModel realmAdminRole = realmAdminClient.getRole(AdminRoles.REALM_ADMIN);
+
+ UserModel realmUser = session.users().addUser(realm, "realm-admin");
+ realmUser.grantRole(realmAdminRole);
+ realmUser.setEnabled(true);
+ session.userCredentialManager().updateCredential(realm, realmUser, UserCredentialModel.password("password"));
+ }
+
+ // KEYCLOAK-5152
+ @Test
+ public void testRealmWithComposites() throws Exception {
+ testingClient.server().run(FineGrainAdminUnitTest::setup5152);
+
+ Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
+ TEST, "realm-admin", "password", Constants.ADMIN_CLI_CLIENT_ID, null);
+
+ RoleRepresentation composite = new RoleRepresentation();
+ composite.setName("composite");
+ composite.setComposite(true);
+ realmClient.realm(TEST).roles().create(composite);
+ composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
+
+ ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
+ RoleRepresentation viewUsers = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
+
+ List<RoleRepresentation> composites = new LinkedList<>();
+ composites.add(viewUsers);
+ realmClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
+ }
// testRestEvaluationMasterRealm
// testRestEvaluationMasterAdminTestRealm
diff --git a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
index 36ecfaf..14c9392 100644
--- a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
+++ b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
@@ -2538,16 +2538,17 @@ module.controller('RealmRolePermissionsCtrl', function($scope, $http, $route, $l
$scope.realm = realm;
RoleManagementPermissions.get({realm: realm.realm, role: role.id}, function(data) {
$scope.permissions = data;
+ $scope.$watch('permissions.enabled', function(newVal, oldVal) {
+ if (newVal != oldVal) {
+ console.log('Changing permissions enabled to: ' + $scope.permissions.enabled);
+ var param = {enabled: $scope.permissions.enabled};
+ $scope.permissions= RoleManagementPermissions.update({realm: realm.realm, role:role.id}, param);
+ }
+ }, true);
});
Client.query({realm: realm.realm, clientId: getManageClientId(realm)}, function(data) {
$scope.realmManagementClientId = data[0].id;
});
- $scope.setEnabled = function() {
- var param = { enabled: $scope.permissions.enabled};
- $scope.permissions= RoleManagementPermissions.update({realm: realm.realm, role:role.id}, param);
- };
-
-
});
module.controller('ClientRolePermissionsCtrl', function($scope, $http, $route, $location, realm, client, role, Client, RoleManagementPermissions, Client, Notifications) {
console.log('RealmRolePermissionsCtrl');
@@ -2556,33 +2557,39 @@ module.controller('ClientRolePermissionsCtrl', function($scope, $http, $route, $
$scope.realm = realm;
RoleManagementPermissions.get({realm: realm.realm, role: role.id}, function(data) {
$scope.permissions = data;
+ $scope.$watch('permissions.enabled', function(newVal, oldVal) {
+ if (newVal != oldVal) {
+ console.log('Changing permissions enabled to: ' + $scope.permissions.enabled);
+ var param = {enabled: $scope.permissions.enabled};
+ $scope.permissions = RoleManagementPermissions.update({realm: realm.realm, role:role.id}, param);
+ }
+ }, true);
});
Client.query({realm: realm.realm, clientId: getManageClientId(realm)}, function(data) {
$scope.realmManagementClientId = data[0].id;
});
- $scope.setEnabled = function() {
- console.log('perssions enabled: ' + $scope.permissions.enabled);
- var param = { enabled: $scope.permissions.enabled};
- $scope.permissions = RoleManagementPermissions.update({realm: realm.realm, role:role.id}, param);
- };
-
-
});
module.controller('UsersPermissionsCtrl', function($scope, $http, $route, $location, realm, UsersManagementPermissions, Client, Notifications) {
console.log('UsersPermissionsCtrl');
$scope.realm = realm;
+ var first = true;
UsersManagementPermissions.get({realm: realm.realm}, function(data) {
$scope.permissions = data;
+ $scope.$watch('permissions.enabled', function(newVal, oldVal) {
+ if (newVal != oldVal) {
+ console.log('Changing permissions enabled to: ' + $scope.permissions.enabled);
+ var param = {enabled: $scope.permissions.enabled};
+ $scope.permissions = UsersManagementPermissions.update({realm: realm.realm}, param);
+
+ }
+ }, true);
});
Client.query({realm: realm.realm, clientId: getManageClientId(realm)}, function(data) {
$scope.realmManagementClientId = data[0].id;
});
- $scope.changeIt = function() {
- console.log('before permissions.enabled=' + $scope.permissions.enabled);
- var param = { enabled: $scope.permissions.enabled};
- $scope.permissions = UsersManagementPermissions.update({realm: realm.realm}, param);
- };
+
+
});
@@ -2592,16 +2599,17 @@ module.controller('ClientPermissionsCtrl', function($scope, $http, $route, $loca
$scope.realm = realm;
ClientManagementPermissions.get({realm: realm.realm, client: client.id}, function(data) {
$scope.permissions = data;
+ $scope.$watch('permissions.enabled', function(newVal, oldVal) {
+ if (newVal != oldVal) {
+ console.log('Changing permissions enabled to: ' + $scope.permissions.enabled);
+ var param = {enabled: $scope.permissions.enabled};
+ $scope.permissions = ClientManagementPermissions.update({realm: realm.realm, client: client.id}, param);
+ }
+ }, true);
});
Client.query({realm: realm.realm, clientId: getManageClientId(realm)}, function(data) {
$scope.realmManagementClientId = data[0].id;
});
- $scope.setEnabled = function() {
- var param = { enabled: $scope.permissions.enabled};
- $scope.permissions = ClientManagementPermissions.update({realm: realm.realm, client: client.id}, param);
- };
-
-
});
module.controller('GroupPermissionsCtrl', function($scope, $http, $route, $location, realm, group, GroupManagementPermissions, Client, Notifications) {
@@ -2612,13 +2620,14 @@ module.controller('GroupPermissionsCtrl', function($scope, $http, $route, $locat
});
GroupManagementPermissions.get({realm: realm.realm, group: group.id}, function(data) {
$scope.permissions = data;
+ $scope.$watch('permissions.enabled', function(newVal, oldVal) {
+ if (newVal != oldVal) {
+ console.log('Changing permissions enabled to: ' + $scope.permissions.enabled);
+ var param = {enabled: $scope.permissions.enabled};
+ $scope.permissions = GroupManagementPermissions.update({realm: realm.realm, group: group.id}, param);
+ }
+ }, true);
});
- $scope.setEnabled = function() {
- var param = { enabled: $scope.permissions.enabled};
- $scope.permissions = GroupManagementPermissions.update({realm: realm.realm, group: group.id}, param);
- };
-
-
});
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-permissions.html b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-permissions.html
index abc21a4..7f29fd7 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-permissions.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-permissions.html
@@ -11,7 +11,7 @@
<div class="form-group">
<label class="col-md-2 control-label" for="permissionsEnabled">{{:: 'permissions-enabled-role' | translate}}</label>
<div class="col-md-6">
- <input ng-model="permissions.enabled" ng-click="setEnabled()" name="permissionsEnabled" id="permissionsEnabled" ng-disabled="!access.manageAuthorization" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
+ <input ng-model="permissions.enabled" name="permissionsEnabled" id="permissionsEnabled" ng-disabled="!access.manageAuthorization" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
</div>
<kc-tooltip>{{:: 'permissions-enabled-role.tooltip' | translate}}</kc-tooltip>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-role-permissions.html b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-role-permissions.html
index c5f37ea..c76ecec 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-role-permissions.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-role-permissions.html
@@ -12,7 +12,7 @@
<div class="form-group">
<label class="col-md-2 control-label" for="permissionsEnabled">{{:: 'permissions-enabled-role' | translate}}</label>
<div class="col-md-6">
- <input ng-model="permissions.enabled" ng-click="setEnabled()" name="permissionsEnabled" id="permissionsEnabled" ng-disabled="!access.manageAuthorization" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
+ <input ng-model="permissions.enabled" name="permissionsEnabled" id="permissionsEnabled" ng-disabled="!access.manageAuthorization" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
</div>
<kc-tooltip>{{:: 'permissions-enabled-role.tooltip' | translate}}</kc-tooltip>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/group-permissions.html b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/group-permissions.html
index 897a0ed..f2be6d9 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/group-permissions.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/group-permissions.html
@@ -11,7 +11,7 @@
<div class="form-group">
<label class="col-md-2 control-label" for="permissionsEnabled">{{:: 'permissions-enabled-role' | translate}}</label>
<div class="col-md-6">
- <input ng-model="permissions.enabled" ng-click="setEnabled()" name="permissionsEnabled" id="permissionsEnabled" ng-disabled="!access.manageAuthorization" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
+ <input ng-model="permissions.enabled" name="permissionsEnabled" id="permissionsEnabled" ng-disabled="!access.manageAuthorization" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
</div>
<kc-tooltip>{{:: 'permissions-enabled-role.tooltip' | translate}}</kc-tooltip>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/realm-role-permissions.html b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/realm-role-permissions.html
index 9c03333..e21ee63 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/realm-role-permissions.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/realm-role-permissions.html
@@ -11,7 +11,7 @@
<div class="form-group">
<label class="col-md-2 control-label" for="permissionsEnabled">{{:: 'permissions-enabled-role' | translate}}</label>
<div class="col-md-6">
- <input ng-model="permissions.enabled" ng-click="setEnabled()" name="permissionsEnabled" id="permissionsEnabled" ng-disabled="!access.manageAuthorization" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
+ <input ng-model="permissions.enabled" name="permissionsEnabled" id="permissionsEnabled" ng-disabled="!access.manageAuthorization" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
</div>
<kc-tooltip>{{:: 'permissions-enabled-role.tooltip' | translate}}</kc-tooltip>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/users-permissions.html b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/users-permissions.html
index 4a5661f..2665bba 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/users-permissions.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/users-permissions.html
@@ -7,7 +7,7 @@
<div class="form-group">
<label class="col-md-2 control-label" for="permissionsEnabled">{{:: 'permissions-enabled-users' | translate}}</label>
<div class="col-md-6">
- <input ng-model="permissions.enabled" ng-click="changeIt()" name="permissionsEnabled" id="permissionsEnabled" ng-disabled="!access.manageAuthorization" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
+ <input ng-model="permissions.enabled" name="permissionsEnabled" id="permissionsEnabled" ng-disabled="!access.manageAuthorization" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
</div>
<kc-tooltip>{{:: 'permissions-enabled-users.tooltip' | translate}}</kc-tooltip>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/templates/kc-menu.html b/themes/src/main/resources/theme/base/admin/resources/templates/kc-menu.html
index 53b0a3d..cea1692 100755
--- a/themes/src/main/resources/theme/base/admin/resources/templates/kc-menu.html
+++ b/themes/src/main/resources/theme/base/admin/resources/templates/kc-menu.html
@@ -50,7 +50,7 @@
<ul class="nav nav-pills nav-stacked">
<li data-ng-show="access.queryGroups" data-ng-class="(path[2] == 'groups'
|| path[2] == 'default-groups') && 'active'"><a href="#/realms/{{realm.realm}}/groups"><span class="pficon pficon-users"></span> {{:: 'groups' | translate}}</a></li>
- <li data-ng-show="access.queryUsers" data-ng-class="(path[2] == 'users') && 'active'"><a href="#/realms/{{realm.realm}}/users"><span class="pficon pficon-user"></span> {{:: 'users' | translate}}</a></li>
+ <li data-ng-show="access.queryUsers" data-ng-class="(path[2] == 'users' || path[2] == 'users-permissions') && 'active'"><a href="#/realms/{{realm.realm}}/users"><span class="pficon pficon-user"></span> {{:: 'users' | translate}}</a></li>
<li data-ng-show="access.viewRealm" data-ng-class="(path[2] == 'sessions') && 'active'"><a href="#/realms/{{realm.realm}}/sessions/realm"><i class="fa fa-clock-o"></i> {{:: 'sessions' | translate}}</a></li>
<li data-ng-show="access.viewEvents" data-ng-class="(path[2] == 'events'
|| path[2] == 'events-settings'