# Improper Access Control
Correctly applied access control rules are key to keeping your data secure. Almost all applications need to protect sensitive data and operations, so putting careful thought into how to restrict access is important when designing a system.
Your access control strategy should cover three aspects:
* **Authentication** – correctly identifying a user when they return to the application.
* **Authorization** – deciding what actions a user should and should not be able to perform once they have been authenticated.
* **Permission Checking** – evaluating authorization at the point-in-time when a user attempts to perform an action.
## Role-Based Access Control
Authorization is often implemented by granting each user a specific role, or adding them to a group. Administrative users are frequently differentiated from regular users, for instance. Here’s how to implement such an authorization scheme in the Django web-framework:
“`python from django.contrib.auth.decorators import login_required, permission_required from django.contrib.auth.models import Permission from django.contrib.contenttypes.models import ContentType from django.http import JsonResponse# Create the permission we want to grant. Permission.objects.create( codename = ‘permissions.grant’, name = ‘Can Grant Permissions to Other Users’, content_type = ContentType.objects.get_for_model(User) ) @login_required user = User.objects.get(username=username) return JsonResponse({ ‘message’ : ‘Permissions granted’ }) |
## Ownership-Based Access Control
Authorization schemes often implement an idea of *ownership*. Certain resources can **belong** to a user or group of users, and may not be accessible to others without their permission. Consider how users can only edit their *own* profiles on social media sites, unless they are administrators:
“`python from django.contrib.auth.models import User from rest_framework import permissionsclass CanUpdateProfile(permissions.BasePermission): def has_permission(self, request, view): # If the user has the profile editing permission they are an admin and can edit any profile. # Otherwise, we check this is a user trying to edit their own profile. |
## Access Control Lists
Finally, access control schemes are often declared as *policies* that block or allow specific actions for certain groups or users. The following application declares access policies upfront using an *Access Control Language* (ACL), implemented using the `miracl-acl` library:
“`python from acl import Acl acl = Acl()acl.add_roles([ ‘admin’, ‘anonymous’ ]) acl.add({ acl.grants({ acl.check(‘admin’, ‘page’, ‘read’) # True: admins can read pages |
# Further Considerations
Access control vulnerabilities tend to occur when mistakes are made during the design phase. To avoid this, make sure you:
* Design your access control upfront and document it.
* Write unit tests to validate that users can only access the resources they should have access to.
* Think like an attacker: focus on the biggest risks your organization faces and prioritize securing those.
* Record user activity in logs, so you have audit trails of who did what and when.
# CWEs
* [CWE-284](https://cwe.mitre.org/data/definitions/284.html)