From 198d58398fccce0016b3533e29cb4c89e44b8014 Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Wed, 7 May 2025 09:47:34 -0300 Subject: [PATCH] Do not show email during registation if user has no permission Closes #37899 Signed-off-by: Pedro Igor --- .../userprofile/DefaultAttributes.java | 18 +++-- .../forms/RegisterWithUserProfileTest.java | 68 +++++++++++++++++++ 2 files changed, 80 insertions(+), 6 deletions(-) diff --git a/server-spi-private/src/main/java/org/keycloak/userprofile/DefaultAttributes.java b/server-spi-private/src/main/java/org/keycloak/userprofile/DefaultAttributes.java index 8672b9bf1bb4..f96271155e42 100644 --- a/server-spi-private/src/main/java/org/keycloak/userprofile/DefaultAttributes.java +++ b/server-spi-private/src/main/java/org/keycloak/userprofile/DefaultAttributes.java @@ -111,7 +111,11 @@ public boolean isReadOnly(String name) { private boolean isReadableOrWritableDuringRegistration(String name) { if (context.equals(UserProfileContext.REGISTRATION) && isRequired(name)) { // in context of registration, username or email (email as username) cannot be readonly otherwise registration is not possible - return UserModel.EMAIL.equals(name) || UserModel.USERNAME.equals(name); + if (UserModel.EMAIL.equals(name)) { + RealmModel realm = session.getContext().getRealm(); + return realm.isRegistrationEmailAsUsername(); + } + return UserModel.USERNAME.equals(name); } return false; } @@ -295,12 +299,14 @@ public Map> getReadable() { continue; } - if (!isReadableOrWritableDuringRegistration(name)) { - AttributeContext attributeContext = createAttributeContext(metadata); + if (isReadableOrWritableDuringRegistration(name)) { + continue; + } + + AttributeContext attributeContext = createAttributeContext(metadata); - if (!metadata.canView(attributeContext) || !metadata.isSelected(attributeContext)) { - attributes.remove(name); - } + if (!metadata.canView(attributeContext) || !metadata.isSelected(attributeContext)) { + attributes.remove(name); } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterWithUserProfileTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterWithUserProfileTest.java index f002b5fb0cd1..ee989c763fab 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterWithUserProfileTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterWithUserProfileTest.java @@ -22,6 +22,9 @@ import static org.hamcrest.Matchers.containsString; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.keycloak.testsuite.util.userprofile.UserProfileUtil.PERMISSIONS_ADMIN_ONLY; import static org.keycloak.testsuite.util.userprofile.UserProfileUtil.PERMISSIONS_ALL; import static org.keycloak.testsuite.util.userprofile.UserProfileUtil.PERMISSIONS_ADMIN_EDITABLE; import static org.keycloak.testsuite.util.userprofile.UserProfileUtil.SCOPE_DEPARTMENT; @@ -622,6 +625,71 @@ public void testEmailRequiredForUser() { )); } + @Test + public void testEmailNotWritable() { + setUserProfileConfiguration("{\"attributes\": [" + + "{\"name\": \"firstName\"," + PERMISSIONS_ALL + ", \"required\": {}}," + + "{\"name\": \"lastName\"," + PERMISSIONS_ALL + ", \"required\": {}}," + + "{\"name\": \"email\"," + PERMISSIONS_ADMIN_ONLY + ", \"required\": {\"roles\" : [\"user\"]}}" + + "]}"); + + loginPage.open(); + loginPage.clickRegister(); + registerPage.assertCurrent(); + + assertFalse(registerPage.isEmailPresent()); + + registerPage.register("firstName", "lastName", null, "myusername", generatePassword()); + + assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); + } + + @Test + public void testEmailNotShownIfReadOnly() { + setUserProfileConfiguration("{\"attributes\": [" + + "{\"name\": \"firstName\"," + PERMISSIONS_ALL + ", \"required\": {}}," + + "{\"name\": \"lastName\"," + PERMISSIONS_ALL + ", \"required\": {}}," + + "{\"name\": \"email\"," + PERMISSIONS_ADMIN_EDITABLE + ", \"required\": {\"roles\" : [\"user\"]}}" + + "]}"); + + loginPage.open(); + loginPage.clickRegister(); + registerPage.assertCurrent(); + + assertFalse(registerPage.isEmailPresent()); + + registerPage.register("firstName", "lastName", null, "myusername1", generatePassword()); + + assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); + } + + @Test + public void testEmailNotAllowedButEmailAsUsername() { + RealmRepresentation realm = testRealm().toRepresentation(); + realm.setRegistrationEmailAsUsername(true); + testRealm().update(realm); + getCleanup().addCleanup(() -> { + realm.setRegistrationEmailAsUsername(false); + testRealm().update(realm); + }); + setUserProfileConfiguration("{\"attributes\": [" + + "{\"name\": \"firstName\"," + PERMISSIONS_ALL + ", \"required\": {}}," + + "{\"name\": \"lastName\"," + PERMISSIONS_ALL + ", \"required\": {}}," + + "{\"name\": \"email\"," + PERMISSIONS_ADMIN_EDITABLE + ", \"required\": {\"roles\" : [\"user\"]}}" + + "]}"); + + loginPage.open(); + loginPage.clickRegister(); + registerPage.assertCurrent(); + + assertFalse(registerPage.isUsernamePresent()); + assertTrue(registerPage.isEmailPresent()); + + registerPage.registerWithEmailAsUsername("firstName", "lastName", "myusername1@keycloak.org", generatePassword()); + + assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); + } + private void assertUserRegistered(String userId, String username, String email, String firstName, String lastName) { events.expectLogin().detail("username", username.toLowerCase()).user(userId).assertEvent();