ADMIN_ROLE is assigned by default if no role is returned for a user inside WebService Body Response

Description

When a "role" for a user is not returned inside the WebService Body Response WebServiceBodyResponseUserGroupService assigns ADMIN_ROLE by default to the user.
This is clearly a security hole.
If an authority must be added it should be ANONYMOUS.

Environment

None

Assignee

Marco Volpini

Reporter

Giovanni Allegri

Triage

None

Fix versions

Affects versions

None

Components

Priority

Highest
Configure