I created our login system to be secure and reliable.

One coworker hardcoded the roles a person who is logging in receives and built a backend to just assign roles you want. He pushed this to prod...

Yeah...

We all have our dirty little secrets... but this one... this one got a whole truck of them secrets...

At a previous workplace while working on an ASP.NET MVC project that was abandoned by two teams in the past, I found an endpoint where you could attach any permission group to your session identity. When I showed it to the most senior team member, he told me that he calls these "claim buffets" and every ASP.NET project he has ever worked on had one, sometimes protected by a hardcodeed password but usually completely unprotected. Devs have no respect for security machinery they didn't have to build.