move phishing check#48495
Conversation
|
Spotless is failing. |
|
@edewit JFYI - you should rebase this PR as there's no NewClientService anymore. |
I think it still exists unfortunately - it just needs to now be deleted. |
|
Oops.. it supposed to be done here: I thought it was already done. Ok |
Me too... I was even pointing that out there in some comment but then I missed it somehow. :D |
|
@edewit Tests seem to be failing. |
fixes: keycloak#48010 Signed-off-by: Erik Jan de Wit <[email protected]>
Signed-off-by: Erik Jan de Wit <[email protected]>
| @GET | ||
| @Override | ||
| public BaseClientRepresentation getClient() { | ||
| enforceAntiPhishingIfClientMissing(); |
There was a problem hiding this comment.
The intent of the issue was to move the check in DefaultClientsApi prior to creating DefaultClientApi - that aligns with admin api v1. We should not worry yet about the case of hitting a 403 on a PUT that performs a create as we'll eventually have direction from #47804 to address that.
This was just to be a simplification over currently having the permission check in the service layer. If / when we want to promote more general usage of the service layer and we have resolution on #47804 we could move the phishing check back.
Signed-off-by: Erik Jan de Wit <[email protected]>
| @Path("{id}") | ||
| @Override | ||
| public ClientApi client(@PathParam("id") String clientId) { | ||
| if (!HttpMethod.PUT.equals(session.getContext().getHttpRequest().getHttpMethod())) { |
There was a problem hiding this comment.
No check for PUT is needed.
fixes: #48010
Signed-off-by: Erik Jan de Wit [email protected]