diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
index d220a39..ddc27ee 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
@@ -289,7 +289,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
if (root.evaluatePermission(roleResource, mapRoleScope, resourceServer)) {
return checkAdminRoles(role);
} else {
- return true;
+ return false;
}
}
@@ -348,7 +348,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
@Override
public boolean canMapComposite(RoleModel role) {
- if (canManageDefault(role)) return true;
+ if (canManageDefault(role)) return checkAdminRoles(role);
if (!root.isAdminSameRealm()) {
return false;
@@ -370,7 +370,11 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
Resource roleResource = resource(role);
Scope scope = mapCompositeScope(resourceServer);
- return root.evaluatePermission(roleResource, scope, resourceServer);
+ if (root.evaluatePermission(roleResource, scope, resourceServer)) {
+ return checkAdminRoles(role);
+ } else {
+ return false;
+ }
}
@Override
