From 503795f16fbed1b5e6ea7ecffeb1a25cf3548d8e Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Thu, 6 Jun 2024 10:10:38 -0500
Subject: Deactivate the "create_role" function

The `create_role` function could lead to privilege escalation. This
commit deactivates it completely to prevent the chance of that
happening.
---
 gn2/wqflask/oauth2/roles.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/roles.py b/gn2/wqflask/oauth2/roles.py
index 2fe35f9b..ee75475e 100644
--- a/gn2/wqflask/oauth2/roles.py
+++ b/gn2/wqflask/oauth2/roles.py
@@ -93,7 +93,12 @@ def create_role():
     def __create_success__(*args):
         flash("Role created successfully.", "alert-success")
         return redirect(url_for("oauth2.role.user_roles"))
-    return oauth2_post(
-        "auth/group/role/create",data={
-            "role_name": role_name, "privileges[]": privileges}).either(
-        __create_error__,__create_success__)
+
+    raise DeprecationWarning(
+        f"The `{__name__}.create_role(…)` function, as is currently, can "
+        "lead to unbounded privilege escalation. See "
+        "https://issues.genenetwork.org/issues/gn-auth/problems-with-roles")
+    # return oauth2_post(
+    #     "auth/group/role/create",data={
+    #         "role_name": role_name, "privileges[]": privileges}).either(
+    #     __create_error__,__create_success__)
-- 
cgit v1.2.3