A7 – Ensuring function level access control
The function level access control is the type of access control that prevents the calling of functions by anonymous or unauthorized users. The lack of this kind of control is the seventh most critical security issue in Web applications according to OWASP.
In this recipe, we will see some recommendations to improve the access control of our applications at the function level.
How to do it...
Ensure that the workflow's privileges are correctly checked at every step.
Deny all access by default and then allow tasks after an explicit verification of authorization.
Users, roles, and authorizations should be stored in a flexible media, such as a database or a configuration file. Do not hardcode them.
Again, "Security through obscurity" is not a good posture to take.
How it works...
It is not uncommon that the developers check for authorization only at the beginning of a workflow and assume that the following tasks will be authorized for the user. An attacker...