When a "role" for a user is not returned inside the WebService Body Response WebServiceBodyResponseUserGroupService assigns ADMIN_ROLE by default to the user.
This is clearly a security hole.
If an authority must be added it should be ANONYMOUS.
Related pull requests:
Last backport merged