ADMIN_ROLE is assigned by default if no role is returned for a user inside WebService Body Response

Description

When a "role" for a user is not returned inside the WebService Body Response WebServiceBodyResponseUserGroupService assigns ADMIN_ROLE by default to the user.
This is clearly a security hole.
If an authority must be added it should be ANONYMOUS.

Environment

None

Activity

Show:
Marco Volpini
February 5, 2020, 1:20 PM
Edited

Related pull requests:

  • (2.17.x, master)

  • (2.16.x)

  • (2.15.x)

 

Andrea Aime
February 17, 2020, 3:24 PM

Last backport merged

Fixed

Assignee

Marco Volpini

Reporter

Giovanni Allegri

Triage

None

Fix versions

Affects versions

None

Components

Priority

Highest