When logging into the ServiceStack UI, with a user who is Admin, then not only is the Admin displayed (as a role), but all other roles in my application. I don’t know where SS picks up the role names from, perhaps from
Require attributes in services?
It’s not a big thing, but it’s misleading. My user has only explicitly added “Admin” as a role, which is confirmed by looking in UserAuthRole table. Deleting cookes, JWTs, etc (even using incognito mode) does not help. Somewhere SS finds those roles and sends it back.
One might make the argument that an administrator implicitly has every role. Is this why SS returns all roles to the UI?
It is not the same roles I get by
authRepo.GetRoles(realUser); which only returns the roles that the user explicitly have.
Does it matter?
Well, in some cases it’s beneficial to know which roles that are actually assigned.
And also, I have a case where I apply a role “impersonated” as a flag when the admin or a tester is impersonating a user. Perhaps there’s a better way to set that flag though.