diff --git a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
index 683b44a..d35ccaf 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
@@ -1077,10 +1077,18 @@ public class RealmAdminResource {
@Produces(MediaType.APPLICATION_JSON)
public RealmRepresentation partialExport(@QueryParam("exportGroupsAndRoles") Boolean exportGroupsAndRoles,
@QueryParam("exportClients") Boolean exportClients) {
+ auth.realm().requireViewRealm();
boolean groupsAndRolesExported = exportGroupsAndRoles != null && exportGroupsAndRoles;
boolean clientsExported = exportClients != null && exportClients;
+ if (groupsAndRolesExported) {
+ auth.groups().requireList();
+ }
+ if (clientsExported) {
+ auth.clients().requireView();
+ }
+
ExportOptions options = new ExportOptions(false, clientsExported, groupsAndRolesExported);
RealmRepresentation rep = ExportUtils.exportRealm(session, realm, options, false);
return stripForExport(session, rep);
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
index fc316b9..736c0c2 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
@@ -114,6 +114,13 @@ public class PermissionsTest extends AbstractKeycloakTest {
.role(Constants.REALM_MANAGEMENT_CLIENT_ID, AdminRoles.REALM_ADMIN)
.addPassword("password"));
+ builder.user(UserBuilder.create()
+ .username("multi")
+ .role(Constants.REALM_MANAGEMENT_CLIENT_ID, AdminRoles.QUERY_GROUPS)
+ .role(Constants.REALM_MANAGEMENT_CLIENT_ID, AdminRoles.VIEW_REALM)
+ .role(Constants.REALM_MANAGEMENT_CLIENT_ID, AdminRoles.VIEW_CLIENTS)
+ .addPassword("password"));
+
builder.user(UserBuilder.create().username("none").addPassword("password"));
for (String role : AdminRoles.ALL_REALM_ROLES) {
@@ -193,6 +200,9 @@ public class PermissionsTest extends AbstractKeycloakTest {
clients.put("none",
Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", REALM_NAME, "none", "password", "test-client", "secret"));
+ clients.put("multi",
+ Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", REALM_NAME, "multi", "password", "test-client", "secret"));
+
for (String role : AdminRoles.ALL_REALM_ROLES) {
clients.put(role, Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", REALM_NAME, role, "password", "test-client"));
}
@@ -1606,6 +1616,35 @@ public class PermissionsTest extends AbstractKeycloakTest {
}, Resource.REALM, true);
}
+ @Test
+ public void partialExport() {
+ invoke(new Invocation() {
+ public void invoke(RealmResource realm) {
+ realm.partialExport(false, false);
+ }
+ }, clients.get("view-realm"), true);
+ invoke(new Invocation() {
+ public void invoke(RealmResource realm) {
+ realm.partialExport(true, true);
+ }
+ }, clients.get("multi"), true);
+ invoke(new Invocation() {
+ public void invoke(RealmResource realm) {
+ realm.partialExport(true, false);
+ }
+ }, clients.get("view-realm"), false);
+ invoke(new Invocation() {
+ public void invoke(RealmResource realm) {
+ realm.partialExport(false, true);
+ }
+ }, clients.get("view-realm"), false);
+ invoke(new Invocation() {
+ public void invoke(RealmResource realm) {
+ realm.partialExport(false, false);
+ }
+ }, clients.get("none"), false);
+ }
+
private void invoke(final Invocation invocation, Resource resource, boolean manage) {
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
