aboutsummaryrefslogtreecommitdiff
path: root/gn2/wqflask/oauth2
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2024-06-06 10:10:38 -0500
committerAlexander_Kabui2024-08-28 15:02:45 +0300
commit503795f16fbed1b5e6ea7ecffeb1a25cf3548d8e (patch)
tree3e486b8becef130cd8074360c853396cec54c652 /gn2/wqflask/oauth2
parentb22d5baffb236c522ff8469f3495b63912201094 (diff)
downloadgenenetwork2-503795f16fbed1b5e6ea7ecffeb1a25cf3548d8e.tar.gz
Deactivate the "create_role" function
The `create_role` function could lead to privilege escalation. This commit deactivates it completely to prevent the chance of that happening.
Diffstat (limited to 'gn2/wqflask/oauth2')
-rw-r--r--gn2/wqflask/oauth2/roles.py13
1 files changed, 9 insertions, 4 deletions
diff --git a/gn2/wqflask/oauth2/roles.py b/gn2/wqflask/oauth2/roles.py
index 2fe35f9b..ee75475e 100644
--- a/gn2/wqflask/oauth2/roles.py
+++ b/gn2/wqflask/oauth2/roles.py
@@ -93,7 +93,12 @@ def create_role():
def __create_success__(*args):
flash("Role created successfully.", "alert-success")
return redirect(url_for("oauth2.role.user_roles"))
- return oauth2_post(
- "auth/group/role/create",data={
- "role_name": role_name, "privileges[]": privileges}).either(
- __create_error__,__create_success__)
+
+ raise DeprecationWarning(
+ f"The `{__name__}.create_role(…)` function, as is currently, can "
+ "lead to unbounded privilege escalation. See "
+ "https://issues.genenetwork.org/issues/gn-auth/problems-with-roles")
+ # return oauth2_post(
+ # "auth/group/role/create",data={
+ # "role_name": role_name, "privileges[]": privileges}).either(
+ # __create_error__,__create_success__)