Package org.keycloak.services.resources.admin.permissions

Interface GroupPermissionEvaluator

public interface GroupPermissionEvaluator

Version:

$Revision: 1 $

Author:

Bill Burke

Method Summary

Modifier and Type	Method	Description
boolean	canList()	Returns true if the caller has at least one of AdminRoles.QUERY_GROUPS, AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.
boolean	canManage()	Returns true if the caller has AdminRoles.MANAGE_USERS role.
boolean	canManage(GroupModel group)	Returns true if the caller has AdminRoles.MANAGE_USERS role.
boolean	canManageMembers(GroupModel group)	Returns true if UserPermissionEvaluator.canManage() evaluates to true.
boolean	canManageMembership(GroupModel group)	Returns true if the caller has one of AdminRoles.MANAGE_USERS role.
boolean	canView()	Returns true if the caller has one of AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.
boolean	canView(GroupModel group)	Returns true if the caller has one of AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.
boolean	canViewMembers(GroupModel group)	Returns true if UserPermissionEvaluator.canView() evaluates to true.
Map<String,Boolean>	getAccess(GroupModel group)	Returns Map with information what access the caller for the provided group has.
Set<String>	getGroupIdsWithViewPermission()	If UserPermissionEvaluator.canView() evaluates to true, returns empty set.
void	requireList()	Throws ForbiddenException if canList() returns false.
void	requireManage()	Throws ForbiddenException if canManage() returns false.
void	requireManage(GroupModel group)	Throws ForbiddenException if canManage(GroupModel) returns false.
void	requireManageMembers(GroupModel group)	Throws ForbiddenException if canManageMembership(GroupModel) returns false.
void	requireManageMembership(GroupModel group)	Throws ForbiddenException if canManageMembership(GroupModel) returns false.
void	requireView()	Throws ForbiddenException if canView() returns false.
void	requireView(GroupModel group)	Throws ForbiddenException if canView(GroupModel) returns false.
void	requireViewMembers(GroupModel group)	Throws ForbiddenException if canViewMembers(GroupModel) returns false.

Method Details

canList

boolean canList()

Returns true if the caller has at least one of AdminRoles.QUERY_GROUPS, AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.

For V2 only: Also if it has a permission to AdminPermissionsSchema.VIEW or AdminPermissionsSchema.MANAGE groups.

requireList

void requireList()

Throws ForbiddenException if canList() returns false.

canManage

boolean canManage(GroupModel group)

Returns true if the caller has AdminRoles.MANAGE_USERS role.

Or if it has a permission to AdminPermissionsSchema.MANAGE the group.

requireManage

void requireManage(GroupModel group)

Throws ForbiddenException if canManage(GroupModel) returns false.

canView

boolean canView(GroupModel group)

Returns true if the caller has one of AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.

Or if it has a permission to AdminPermissionsSchema.VIEW or AdminPermissionsSchema.MANAGE the group.

requireView

void requireView(GroupModel group)

Throws ForbiddenException if canView(GroupModel) returns false.

canManage

boolean canManage()

Returns true if the caller has AdminRoles.MANAGE_USERS role.

For V2 only: Also if it has permission to AdminPermissionsSchema.VIEW or AdminPermissionsSchema.MANAGE groups.

requireManage

void requireManage()

Throws ForbiddenException if canManage() returns false.

canView

boolean canView()

Returns true if the caller has one of AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.

Or if it has a permission to AdminPermissionsSchema.VIEW or AdminPermissionsSchema.MANAGE groups.

requireView

void requireView()

Throws ForbiddenException if canView() returns false.

requireViewMembers

void requireViewMembers(GroupModel group)

Throws ForbiddenException if canViewMembers(GroupModel) returns false.

canManageMembers

boolean canManageMembers(GroupModel group)

Returns true if UserPermissionEvaluator.canManage() evaluates to true.

Or if it has a permission to AdminPermissionsSchema.MANAGE_MEMBERS of the group.

canManageMembership

boolean canManageMembership(GroupModel group)

Returns true if the caller has one of AdminRoles.MANAGE_USERS role.

Or if it has a permission to AdminPermissionsSchema.MANAGE the group or AdminPermissionsSchema.MANAGE_MEMBERSHIP of the group.

canViewMembers

boolean canViewMembers(GroupModel group)

Returns true if UserPermissionEvaluator.canView() evaluates to true.

Or if it has a permission to AdminPermissionsSchema.VIEW_MEMBERS or AdminPermissionsSchema.MANAGE_MEMBERS of the group.

requireManageMembership

void requireManageMembership(GroupModel group)

Throws ForbiddenException if canManageMembership(GroupModel) returns false.

requireManageMembers

void requireManageMembers(GroupModel group)

Throws ForbiddenException if canManageMembership(GroupModel) returns false.

getAccess

Map<String,Boolean> getAccess(GroupModel group)

Returns Map with information what access the caller for the provided group has.

getGroupIdsWithViewPermission

Set<String> getGroupIdsWithViewPermission()

If UserPermissionEvaluator.canView() evaluates to true, returns empty set.

Returns:

Stream of IDs of groups with view permission.