Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:

Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.

This rule flags code that controls the access to resources and actions or configures this access. The goal is to guide security code reviews.

Ask Yourself Whether

You are at risk if you answered yes to the first question and any of the following ones.

Recommended Secure Coding Practices

The first step is to restrict all sensitive actions to authenticated users.

Each user should have the lowest privileges possible. The access control granularity should match the sensitivity of each resource or action. The more sensitive it is, the less people should have access to it.

Do not base the access control on a user input or on a value which might have been tampered with. For example, the developer should not read a user's permissions from an HTTP cookie as it can be modified client-side.

Check that the access to each action and resource is properly restricted.

Enable administrators to swiftly remove permissions when necessary. This enables them to reduce the time an attacker can have access to your systems when a breach occurs.

Log and monitor refused access requests as they can reveal an attack.

Questionable Code Example

CakePHP

use Cake\Auth\BaseAuthorize;
use Cake\Controller\Controller;

abstract class MyAuthorize extends BaseAuthorize { // Questionable. Method extending Cake\Auth\BaseAuthorize.
    // ...
}

// Note that "isAuthorized" methods will only be detected in direct subclasses of Cake\Controller\Controller.
abstract class MyController extends Controller {
    public function isAuthorized($user) { // Questionable. Method called isAuthorized in a Cake\Controller\Controller.
        return false;
    }
}

See