Description

The group members endpoint (/admin/realms/{realm}/groups/{id}/members) does not enforce user profile attribute permissions. When an administrator has been denied view access to specific user attributes through user profile configuration, those attributes are still returned in group member responses.

The user list endpoint (/admin/realms/{realm}/users/) correctly hides the restricted attributes under the same configuration. The group members endpoint should behave the same way but does not.

This also affects organization members representations.

Version affected

26.2 and later

Expected behavior

When user profile permissions deny admin view of specific attributes (e.g. email, name), the group members endpoint should hide those attributes, consistent with the user list endpoint.

Actual behavior

The group members endpoint returns all default user attributes regardless of user profile permission settings. Restricted attributes such as email and name are visible in the response.

Steps to reproduce

1. Configure user profile attribute permissions to deny admin view and edit for specific attributes (e.g. email, name)
2. Grant FGAPv2 permissions: View and View-members on groups, and View on users
3. Query the user list endpoint: GET /admin/realms/{realm}/users/ — restricted attributes are hidden as expected
4. Query the group members endpoint: GET /admin/realms/{realm}/groups/{id}/members — restricted attributes are visible in the response

Anything else?

CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N (2.7 Low)

Acknowledgement: Hadley So (https://github.com/hadleyso)

This issue was originally tracked in the private repository. Migrated by @abstractj.