Inform-Software
diff --git a/‎scim/core/src/main/java/org/keycloak/scim/resource/spi/AbstractScimResourceTypeProvider.java‎
Lines changed: 24 additions & 16 deletions b/‎scim/core/src/main/java/org/keycloak/scim/resource/spi/AbstractScimResourceTypeProvider.java‎
Lines changed: 24 additions & 16 deletions
diff --git a/‎scim/model/src/main/java/org/keycloak/scim/model/user/UserResourceTypeProvider.java‎
Lines changed: 7 additions & 1 deletion b/‎scim/model/src/main/java/org/keycloak/scim/model/user/UserResourceTypeProvider.java‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎scim/services/src/main/java/org/keycloak/scim/services/ScimResourceTypeResource.java‎
Lines changed: 18 additions & 12 deletions b/‎scim/services/src/main/java/org/keycloak/scim/services/ScimResourceTypeResource.java‎
Lines changed: 18 additions & 12 deletions
@@ -6,7 +6,6 @@
 import java.util.stream.Stream;
 
 import org.keycloak.authorization.fgap.AdminPermissionsSchema;
-import org.keycloak.models.KeycloakContext;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.Model;
 import org.keycloak.models.ModelValidationException;
@@ -42,9 +41,7 @@ public AbstractScimResourceTypeProvider(KeycloakSession session, ModelSchema<M,
 
     @Override
     public R create(R resource) {
-        KeycloakContext context = session.getContext();
-
-        if (!context.hasPermission(getRealmResourceType(), AdminPermissionsSchema.MANAGE)) {
+        if (!hasPermission(getRealmResourceType(), AdminPermissionsSchema.MANAGE)) {
             throw new ForbiddenException();
         }
 
@@ -55,9 +52,7 @@ public R create(R resource) {
     public R update(R resource) {
         M model = getModel(resource.getId());
 
-        KeycloakContext context = session.getContext();
-
-        if (!context.hasPermission(model, getRealmResourceType(), AdminPermissionsSchema.MANAGE)) {
+        if (!hasPermission(model, getRealmResourceType(), AdminPermissionsSchema.MANAGE)) {
             throw new ForbiddenException();
         }
 
@@ -74,14 +69,12 @@ public R get(String id) {
             return null;
         }
 
-        R resource = createResourceTypeInstance();
-
-        KeycloakContext context = session.getContext();
-
-        if (!context.hasPermission(model, getRealmResourceType(), AdminPermissionsSchema.VIEW)) {
+        if (!hasPermission(model, getRealmResourceType(), AdminPermissionsSchema.VIEW)) {
             throw new ForbiddenException();
         }
 
+        R resource = createResourceTypeInstance();
+
         for (ModelSchema<M, R> schema : schemas) {
             schema.populate(resource, model);
         }
@@ -91,6 +84,10 @@ public R get(String id) {
 
     @Override
     public Stream<R> getAll(SearchRequest searchRequest) {
+        if (!canQuery()) {
+            throw new ForbiddenException();
+        }
+
         return getModels(searchRequest).map(m -> {
             try {
                 return get(m.getId());
@@ -103,9 +100,8 @@ public Stream<R> getAll(SearchRequest searchRequest) {
     @Override
     public boolean delete(String id) {
         M model = getModel(id);
-        KeycloakContext context = session.getContext();
 
-        if (!context.hasPermission(model, getRealmResourceType(), AdminPermissionsSchema.MANAGE)) {
+        if (!hasPermission(model, getRealmResourceType(), AdminPermissionsSchema.MANAGE)) {
             throw new ForbiddenException();
         }
 
@@ -117,9 +113,8 @@ public void patch(R existing, List<PatchOperation> operations) {
         Objects.requireNonNull(existing, "existing cannot be null");
         Objects.requireNonNull(operations, "operations cannot be null");
         M model = getModel(existing.getId());
-        KeycloakContext context = session.getContext();
 
-        if (!context.hasPermission(model, getRealmResourceType(), AdminPermissionsSchema.MANAGE)) {
+        if (!hasPermission(model, getRealmResourceType(), AdminPermissionsSchema.MANAGE)) {
             throw new ForbiddenException();
         }
 
@@ -186,4 +181,17 @@ private R createResourceTypeInstance() {
             throw new RuntimeException("Could not create instance of resource type " + getResourceType(), e);
         }
     }
+
+    private boolean canQuery() {
+        return session.getContext().getPermissions().hasPermission(getRealmResourceType(), AdminPermissionsSchema.QUERY);
+    }
+
+    private boolean hasPermission(String realmResourceType, String scope) {
+        return session.getContext().getPermissions().hasPermission(realmResourceType, scope);
+    }
+
+    private boolean hasPermission(M model, String realmResourceType, String scope) {
+        return session.getContext().getPermissions().hasPermission(model, realmResourceType, scope);
+    }
+
 }
@@ -55,7 +55,13 @@ public UserResourceTypeProvider(KeycloakSession session) {
     @Override
     public User onCreate(User resource) {
         UserProfileProvider provider = session.getProvider(UserProfileProvider.class);
-        UserProfile profile = provider.create(UserProfileContext.SCIM, Map.of(UserModel.USERNAME, resource.getUserName()));
+        String userName = resource.getUserName();
+
+        if (userName == null) {
+            throw new ModelValidationException("username is required");
+        }
+
+        UserProfile profile = provider.create(UserProfileContext.SCIM, Map.of(UserModel.USERNAME, userName));
         UserModel model = profile.create(false);
 
         populate(model, resource);
 
@@ -128,6 +128,8 @@ public Response search(SearchRequest searchRequest) {
                     .peek(this::setMetadata);
         } catch (ScimFilterException e) {
             return badRequest(e.getMessage(), "invalidFilter");
+        } catch (ForbiddenException fe) {
+            return Response.status(Status.FORBIDDEN).build();
         }
 
         if (resourceTypeProvider instanceof SingletonResourceTypeProvider<R>) {
@@ -152,21 +154,25 @@ public Response search(SearchRequest searchRequest) {
     @DELETE
     @Produces(APPLICATION_SCIM_JSON)
     public Response delete(@PathParam("id") String id) {
-        R resource = getResource(id);
+        try {
+            R resource = getResource(id);
 
-        if (resource == null) {
-            return resourceNotFound(id);
-        }
+            if (resource == null) {
+                return resourceNotFound(id);
+            }
 
-        if (resourceTypeProvider.delete(id)) {
-            adminEvent.operation(OperationType.DELETE)
-                    .resourcePath(session.getContext().getUri())
-                    .representation(resource)
-                    .success();
-            return Response.noContent().build();
-        }
+            if (resourceTypeProvider.delete(id)) {
+                adminEvent.operation(OperationType.DELETE)
+                        .resourcePath(session.getContext().getUri())
+                        .representation(resource)
+                        .success();
+                return Response.noContent().build();
+            }
 
-        return badRequest("Could not delete resource not found with id " + id);
+            return badRequest("Could not delete resource not found with id " + id);
+        } catch (ForbiddenException fe) {
+            return Response.status(Status.FORBIDDEN).build();
+        }
     }
 
     @Path("{id}")