SS UI shows all roles for Admin

When logging into the ServiceStack UI, with a user who is Admin, then not only is the Admin displayed (as a role), but all other roles in my application. I don’t know where SS picks up the role names from, perhaps from Require attributes in services?

It’s not a big thing, but it’s misleading. My user has only explicitly added “Admin” as a role, which is confirmed by looking in UserAuthRole table. Deleting cookes, JWTs, etc (even using incognito mode) does not help. Somewhere SS finds those roles and sends it back.

One might make the argument that an administrator implicitly has every role. Is this why SS returns all roles to the UI?

It is not the same roles I get by authRepo.GetRoles(realUser); which only returns the roles that the user explicitly have.

Does it matter?

Well, in some cases it’s beneficial to know which roles that are actually assigned.
And also, I have a case where I apply a role “impersonated” as a flag when the admin or a tester is impersonating a user. Perhaps there’s a better way to set that flag though.

Yes from all roles ServiceStack finds in your App, this should be the same list of roles listed in the Admin Users UI.

Right, the Admin role gives super user access to all server resources but the full list of roles is needed by some client applications which implements Role based access using Microsoft’s [Authorize] attribute (e.g. Blazor Apps).

Regarding the second point, this is a change made e.g. for Blazor apps? It wasn’t always like this, right?

Right, it was made to support .NET Client Apps like Blazor which requires all roles they have access to.