diff options
author | Frederick Muriuki Muriithi | 2024-06-06 10:10:38 -0500 |
---|---|---|
committer | Alexander_Kabui | 2024-08-28 15:02:45 +0300 |
commit | 503795f16fbed1b5e6ea7ecffeb1a25cf3548d8e (patch) | |
tree | 3e486b8becef130cd8074360c853396cec54c652 /gn2 | |
parent | b22d5baffb236c522ff8469f3495b63912201094 (diff) | |
download | genenetwork2-503795f16fbed1b5e6ea7ecffeb1a25cf3548d8e.tar.gz |
Deactivate the "create_role" function
The `create_role` function could lead to privilege escalation. This
commit deactivates it completely to prevent the chance of that
happening.
Diffstat (limited to 'gn2')
-rw-r--r-- | gn2/wqflask/oauth2/roles.py | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/gn2/wqflask/oauth2/roles.py b/gn2/wqflask/oauth2/roles.py index 2fe35f9b..ee75475e 100644 --- a/gn2/wqflask/oauth2/roles.py +++ b/gn2/wqflask/oauth2/roles.py @@ -93,7 +93,12 @@ def create_role(): def __create_success__(*args): flash("Role created successfully.", "alert-success") return redirect(url_for("oauth2.role.user_roles")) - return oauth2_post( - "auth/group/role/create",data={ - "role_name": role_name, "privileges[]": privileges}).either( - __create_error__,__create_success__) + + raise DeprecationWarning( + f"The `{__name__}.create_role(…)` function, as is currently, can " + "lead to unbounded privilege escalation. See " + "https://issues.genenetwork.org/issues/gn-auth/problems-with-roles") + # return oauth2_post( + # "auth/group/role/create",data={ + # "role_name": role_name, "privileges[]": privileges}).either( + # __create_error__,__create_success__) |