Account API: Resource sharing endpoints ignore userManagedAccessAllowed realm setting

Closes #48987

Signed-off-by: Martin Kanis <mkanis@ibm.com>

services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java

@@ -222,6 +222,9 @@ public class AccountRestService {
     @Path("/resources")
     public ResourcesService resources() {
         checkAccountApiEnabled();
+        if (!realm.isUserManagedAccessAllowed()) {
+            throw ErrorResponse.error("User-managed access not enabled", Response.Status.FORBIDDEN);
+        }
         auth.requireOneOf(AccountRoles.MANAGE_ACCOUNT, AccountRoles.VIEW_PROFILE);
         return new ResourcesService(session, user, auth, request);
     }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/ResourcesRestServiceTest.java

@@ -533,6 +533,40 @@ public class ResourcesRestServiceTest extends AbstractRestServiceTest {
                 "view-account-access PUT " + permissionsUrl);
     }
 
+    @Test
+    public void testResourceEndpointsBlockedWhenUmaDisabled() throws Exception {
+        Resource resource = getMyResources().get(0);
+        String resourceId = resource.getId();
+
+        final String resourcesUrl = getAccountUrl("resources");
+        final String sharedWithOthersUrl = resourcesUrl + "/shared-with-others";
+        final String sharedWithMeUrl = resourcesUrl + "/shared-with-me";
+        final String resourceUrl = resourcesUrl + "/" + encodePathAsIs(resourceId);
+        final String permissionsUrl = resourceUrl + "/permissions";
+        final String requestsUrl = resourceUrl + "/permissions/requests";
+
+        RealmRepresentation realmRep = adminClient.realm("test").toRepresentation();
+        try {
+            realmRep.setUserManagedAccessAllowed(false);
+            adminClient.realm("test").update(realmRep);
+
+            for (String url : Arrays.asList(resourcesUrl, sharedWithOthersUrl, sharedWithMeUrl, resourceUrl, permissionsUrl, requestsUrl)) {
+                assertEquals(403,
+                        SimpleHttpDefault.doGet(url, httpClient).acceptJson().auth(tokenUtil.getToken()).asStatus(),
+                        "UMA disabled GET " + url);
+            }
+
+            List<Permission> permissions = new ArrayList<>();
+            permissions.add(new Permission("jdoe", "Scope A"));
+            assertEquals(403,
+                    SimpleHttpDefault.doPut(permissionsUrl, httpClient).acceptJson().auth(tokenUtil.getToken()).json(permissions).asStatus(),
+                    "UMA disabled PUT " + permissionsUrl);
+        } finally {
+            realmRep.setUserManagedAccessAllowed(true);
+            adminClient.realm("test").update(realmRep);
+        }
+    }
+
     @Test
     public void testRevokePermission() throws Exception {
         List<String> users = Arrays.asList("jdoe", "alice");