This rule is deprecated, and will eventually be removed.
The access control of an application must be properly implemented in order to restrict access to resources to authorized entities otherwise this
could lead to vulnerabilities:
Granting correct permissions to users, applications, groups or roles and defining required permissions that allow access to a resource is
sensitive, must therefore be done with care. For instance, it is obvious that only users with administrator privilege should be authorized to
add/remove the administrator permission of another user.
Ask Yourself Whether
- Granted permission to an entity (user, application) allow access to information or functionalities not needed by this entity.
- Privileges are easily acquired (eg: based on the location of the user, type of device used, defined by third parties, does not require approval
…).
- Inherited permission, default permission, no privileges (eg: anonymous user) is authorized to access to a protected resource.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
At minimum, an access control system should:
- Use a well-defined access control model like RBAC or ACL.
- Entities' permissions should be reviewed regularly to remove permissions that are no longer needed.
- Respect the principle of least privilege ("an entity has access
only the information and resources that are necessary for its legitimate purpose").
Sensitive Code Example
CakePHP
use Cake\Auth\BaseAuthorize;
use Cake\Controller\Controller;
abstract class MyAuthorize extends BaseAuthorize { // Sensitive. Method extending Cake\Auth\BaseAuthorize.
// ...
}
// Note that "isAuthorized" methods will only be detected in direct subclasses of Cake\Controller\Controller.
abstract class MyController extends Controller {
public function isAuthorized($user) { // Sensitive. Method called isAuthorized in a Cake\Controller\Controller.
return false;
}
}
See
