From 999d9aa75bdcc389cf907c869342d1f26ee81a0c Mon Sep 17 00:00:00 2001
From: vramik <vramik@redhat.com>
Date: Thu, 3 Apr 2025 12:26:06 +0200
Subject: [PATCH] [FGAP] Override `canList()` for V2.

Closes #38641

Signed-off-by: vramik <vramik@redhat.com>
---
 .../admin/permissions/ClientPermissionEvaluator.java         | 4 +++-
 .../resources/admin/permissions/ClientPermissionsV2.java     | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionEvaluator.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionEvaluator.java
index 9ebdf927575..f1bacb0b867 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionEvaluator.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionEvaluator.java
@@ -71,7 +71,9 @@ public interface ClientPermissionEvaluator {
     /**
      * Returns {@code true} if {@link #canView()} returns {@code true}.
      * <p/>
-     * Or if the caller has at least one of the {@link AdminRoles#QUERY_CLIENTS} or {@link AdminRoles#QUERY_USERS} roles.
+     * Or if the caller has at least one of the {@link AdminRoles#QUERY_CLIENTS} role.
+     * <p/>
+     * V1: or {@link AdminRoles#QUERY_USERS} roles.
      */
     boolean canList();
 
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionsV2.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionsV2.java
index bad415a311a..7d7dd6b8ae4 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionsV2.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionsV2.java
@@ -48,6 +48,11 @@ class ClientPermissionsV2 extends ClientPermissions {
         super(session, realm, authz, root);
     }
 
+    @Override
+    public boolean canList() {
+        return root.hasOneAdminRole(AdminRoles.QUERY_CLIENTS) || canView();
+    }
+
     @Override
     public boolean canConfigure(ClientModel client) {
         if (canManage(client)) return true;