Function Level Access Control (OWASP-A7)

smholsen / SoftwareSecurityExcercise

Project for the Software Security Course @ NTNU.

0 stars 0 forks source link

Function Level Access Control (OWASP-A7) #18

Open smholsen opened 7 years ago

smholsen commented 7 years ago

What? Any user can delete other users in the database by typing the URL in the browser. ‘username’ is replaced by a valid username registered in the application. We need to make only admins or the actual user able to do this.

Why? Because if we dont then bad people can do bad things.

How? I dont know yet.

(Missing Function Level Access Control (OWASP-A7))

smholsen commented 7 years ago

Should this be done after #9? I mean, we need to have some way of differentiating between admin and user, and currently thisis done via cookie which we are going to fix in #9.

smholsen commented 7 years ago

When I was fixing #9 I also changed the check method for checking if the current user in session is admin. I realize that this perhaps should have been done in a different commit, but I had to remove the information from the cookie, and for the application to still function I had to rework the admin check method.

I will start workin on this issue now.

smholsen commented 7 years ago

Skriver om dette når jeg er ferdig med sesh. management

smholsen commented 7 years ago

Todo: Merge with master!