Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

user-profile

Describe the bug

When the Unmanaged Attributes is set to "Only administrators can view" it is still possible for the admin to write unmanaged attributes.

Version

26.4.7

Regression

• The issue is a regression

Expected behavior

Unmanaged attributes cannot be written when the unmanaged attribute policy is set to "Only administrators can view".

Actual behavior

Unmanaged attributes can be written when the unmanaged attribute policy is set to "Only administrators can view".

How to Reproduce?

Set unmanaged attribute policy to "Only Administrators can view" and do a curl --location 'http://localhost:8081/admin/realms/school/users' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer {{admin_access_token}}' \ --data-raw '{ "username": "user10", "email": "[email protected]", "enabled": true, "attributes": { "className": "V" }, "credentials": [ { "type": "password", "value": "1234", "temporary": false } ] }' and see the attribute className being written.

Anything else?

No response