There are REST endpoint which does not take admin permissions into an account when returning response.
With following permission denying to view a userC:
When listing client sessions:
GET | http://localhost:8080/admin/realms/test/ui-ext/sessions/client?first=0&max=11&type=ALL&clientId=7bb6b97b-67b6-4cc6-9d99-974c73ec9157&search=
Or when listing users with a certain role:
GET | http://localhost:8080/admin/realms/test/clients/7bb6b97b-67b6-4cc6-9d99-974c73ec9157/roles/test-role/users?briefRepresentation=true&first=0&max=11
The lists includes users who should not be visible.
There are REST endpoint which does not take admin permissions into an account when returning response.
With following permission denying to view a
userC:When listing client sessions:
GET | http://localhost:8080/admin/realms/test/ui-ext/sessions/client?first=0&max=11&type=ALL&clientId=7bb6b97b-67b6-4cc6-9d99-974c73ec9157&search=Or when listing users with a certain role:
GET | http://localhost:8080/admin/realms/test/clients/7bb6b97b-67b6-4cc6-9d99-974c73ec9157/roles/test-role/users?briefRepresentation=true&first=0&max=11The lists includes users who should not be visible.