# Improper Access Control

Correctly applied access control rules are key to keeping your data secure. Almost all applications need to protect sensitive data and operations, so putting careful thought into how to restrict access is important when designing a system.

Your access control strategy should cover three aspects:

* **Authentication** – correctly identifying a user when they return to the application.
* **Authorization** – deciding what actions a user should and should not be able to perform once they have been authenticated.
* **Permission Checking** – evaluating authorization at the point-in-time when a user attempts to perform an action.

## Role-Based Access Control

Authorization is often implemented by granting each user a specific role, or adding them to a group. Administrative users are frequently differentiated from regular users, for instance. Here’s how to implement such an authorization scheme in the Django web-framework:

from django.contrib.auth.decorators import login_required, permission_required
from django.contrib.auth.models import Permission
from django.contrib.contenttypes.models import ContentType
from django.http import JsonResponse# Create the permission we want to grant.
codename = ‘permissions.grant’,
name = ‘Can Grant Permissions to Other Users’,
content_type = ContentType.objects.get_for_model(User)

def grant_permissions(request):
“””Allow an admin to grant admin privileges to another user, after checking
the current user has the permission themselves.”””
username = request.POST[‘username’]

user = User.objects.get(username=username)

return JsonResponse({ ‘message’ : ‘Permissions granted’ })

## Ownership-Based Access Control

Authorization schemes often implement an idea of *ownership*. Certain resources can **belong** to a user or group of users, and may not be accessible to others without their permission. Consider how users can only edit their *own* profiles on social media sites, unless they are administrators:

from django.contrib.auth.models import User
from rest_framework import permissionsclass CanUpdateProfile(permissions.BasePermission):

def has_permission(self, request, view):
“””Users can edit their own profiles. Admins can edit *all* profiles.”””

# If the user has the profile editing permission they are an admin and can edit any profile.
if request.user.has_perm(‘edit.profile’):
return True

# Otherwise, we check this is a user trying to edit their own profile.
return request.user == User.objects.get(username=view.kwargs[‘username’])

## Access Control Lists

Finally, access control schemes are often declared as *policies* that block or allow specific actions for certain groups or users. The following application declares access policies upfront using an *Access Control Language* (ACL), implemented using the `miracl-acl` library:

from acl import Acl
acl = Acl()acl.add_roles([ ‘admin’, ‘anonymous’ ])

‘blog’: [ ‘post’ ],
‘page’: [ ‘create’, ‘read’, ‘update’, ‘delete’ ]

‘admin’ : {
‘blog’: [ ‘post’ ],
‘page’: [ ‘create’, ‘read’, ‘update’, ‘delete’ ]
‘anonymous’ : {
‘page’: [ ‘read’ ]

acl.check(‘admin’, ‘page’, ‘read’) # True: admins can read pages
acl.check(‘anonymous’, ‘page’, ‘read’) # True: anonymous users can read pages
acl.check(‘anonymous’, ‘page’, ‘delete’) # False: anonymous users cannot delete pages

# Further Considerations

Access control vulnerabilities tend to occur when mistakes are made during the design phase. To avoid this, make sure you:

* Design your access control upfront and document it.
* Write unit tests to validate that users can only access the resources they should have access to.
* Think like an attacker: focus on the biggest risks your organization faces and prioritize securing those.
* Record user activity in logs, so you have audit trails of who did what and when.

# CWEs

* [CWE-284](https://cwe.mitre.org/data/definitions/284.html)

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.


See for yourself – run a scan on your code right now