diff --git a/internal/daemon/controller/handlers/roles/role_service.go b/internal/daemon/controller/handlers/roles/role_service.go index 7801fef913..d9fff5a05f 100644 --- a/internal/daemon/controller/handlers/roles/role_service.go +++ b/internal/daemon/controller/handlers/roles/role_service.go @@ -123,10 +123,6 @@ func (s Service) ListRoles(ctx context.Context, req *pbs.ListRolesRequest) (*pbs if err != nil { return nil, err } - // If no scopes match, return an empty response - if len(scopeIds) == 0 { - return &pbs.ListRolesResponse{}, nil - } pageSize := int(s.maxPageSize) // Use the requested page size only if it is smaller than diff --git a/internal/daemon/controller/handlers/roles/role_service_test.go b/internal/daemon/controller/handlers/roles/role_service_test.go index c7162e8cfc..1db2cc2f05 100644 --- a/internal/daemon/controller/handlers/roles/role_service_test.go +++ b/internal/daemon/controller/handlers/roles/role_service_test.go @@ -760,6 +760,28 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListRolesResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, oWithRoles.GetPublicId()) + unauthR := iam.TestRole(t, conn, pWithRoles.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = a.ListRoles(ctx, &pbs.ListRolesRequest{ + ScopeId: "global", + Recursive: true, + }) + require.Error(t, err) + assert.ErrorIs(t, handlers.ForbiddenError(), err) } func TestDelete(t *testing.T) {