26 \ May 2019 \ http://www.phparch.com
Security Corner
Access Control and Authorization
Eric Mann
Proving the identity of a user isn’t the end of an application’s responsibilities: you must also verify
the user is allowed to perform the actions they’re attempting. Conflating authentication (the act of
identifying users) with authorization (the act of verifying their level of access within the system) is
one of the most common ways applications have been breached in the recent past.
Confusing authentication with authorization is easy. The
first covers proving a user is whom they say they are; the
second that they are allowed to perform a specific action.
Often, developers adequately implement the first and require
a user login for sensitive actions or pages. Unfortunately, it’s
easy to either skip the latter control or fail to implement it
properly. Just knowing who the user is doesn’t necessarily
prove they’re allowed to view content, delete content, or
otherwise interact with the system.
If your application implements authentication but fails to
provide access control for sensitive operations, there is no
difference between a low-level user and the system admin-
istrator. The mere act of logging in would allow any user to
do anything within your system! Likewise, improperly imple-
menting authorization mechanisms is often as bad as having
no access control system at all!
As a trivial example, consider a PHP-based file manage-
ment system which allows a logged in user to download files
uploaded via a support queue shown in Listing 1.
This file download script is incredibly simple and is
provided here only to illustrate the lack of proper autho-
rization in the system. Please do not use code like this
in production, as the simplicity here does not provide
adequate protection for your filesystem. You would also
want to ensure PHP is only allowed read access to specific
locations and would want to provide better whitelisting
around files that can be downloaded in such a fashion—
potentially even an explicit whitelist on MIME types.This simple script ensures the user is logged in (i.e., their
user ID is valid and stored in a session variable), but it does
not guarantee the user is permitted access to the files in this
uploads directory. Any user with a valid session would be
capable of downloading any file in this directory, regardless
of whether or not they have a legitimate reason to do so.Access Control Systems
An access control system maps authenticated users to the
actions they are required to perform. In this way, you can sepa-
rate users into groups within your application and empower
only certain individuals to perform specific actions. Adding
files, downloading raw data, executing SQL statements,
sending transactional email, changing system settings—each
of these operations can be locked down such that the appli-
cation permits only a subset of users to execute them. At the
same time, unprivileged users can still authenticate and use
your application, while protecting sensitive operations from
abuse.
There are multiple forms of access control, and each is
suited for a different environment and type of use.Role-Based Systems
With role-based access control (RBAC), users are each
assigned one or more roles within a system. Sensitive opera-
tions are then restricted based on whether or not a user is in
a particular role.
According to the documentation for PHP-RBAC^1 , the stan-
dard role-based tool for PHP published by OWASP^2 :1 PHP-RBAC: http://phprbac.net
2 OWASP: https://www.owasp.org/index.php/Main_PageListing 1- <?php
- if (!isset($_SESSION['user_id'])) {
- http_response_code( 403 );
- exit;
- }
- $filename = basename($_POST['filename']);
- $file = sprintf('/var/www/support/uploads/%s', $filename);
- if (file_exists($file)) {
- header('Content-Description: File Transfer');
- header('Content-Type: application/octet-stream');
- header(sprintf(
- 'Content-Disposition: attachment; filename="%s"',
- $filename
- ));
- header('Expires: 0');
- header('Cache-Control: must-revalidate');
- header('Pragma: public');
- header(sprintf('Content-Length: %d', filesize($file)));
- readfile($file);
- exit;
- }