The function level access control is the type of access control that prevents the calling of functions by anonymous or unauthorized users. The lack of this kind of control is the seventh most critical security issue in Web applications according to OWASP.
In this recipe, we will see some recommendations to improve the access control of our applications at the function level.
- Ensure that the workflow's privileges are correctly checked at every step.
- Deny all access by default and then allow tasks after an explicit verification of authorization.
- Users, roles, and authorizations should be stored in a flexible media, such as a database or a configuration file. Do not hardcode them.
- Again, "Security through obscurity" is not a good posture to take.
It is not uncommon that the developers check for authorization only at the beginning of a workflow and assume that the following tasks will be authorized for the user. An attacker may try to call a function, which is an intermediate step of the flow and achieve it due to a lack of control.
About privileges, denying all by default is a best practice. If we don't know if some users are allowed to execute some function, then they are not. Turn your privilege tables into grant tables. If there is no explicit grant for some user on some function, deny any access.
When building or implementing an access control mechanism for your application's functions, store all the grants in a database or in a configuration file (a database is a better choice). If user roles and privileges are hardcoded they become harder to maintain and to change or update.