---
title: Enforce Authorization At Trusted Service Layer
impact: CRITICAL
impactDescription: prevents client-side authorization bypass
tags: authorization, server-side, middleware, access-control, security, csharp
---

## Enforce Authorization At Trusted Service Layer

Client-side checks (hiding buttons) are not security checks. Authorization must be enforced on the server for every privileged action.

**Incorrect (client-side only or trusting inputs):**

```csharp
// Trusting a parameter from the client
[HttpPost]
public IActionResult DeleteUser(int id, bool isAdmin) 
{
    if (isAdmin) // Attacker can toggle this!
    {
        _repo.Delete(id);
    }
    return Ok();
}
```

**Correct (server-side authorization):**

```csharp
[Authorize(Roles = "Admin")] // Declarative check
[HttpPost]
public IActionResult DeleteUser(int id)
{
    _repo.Delete(id);
    return Ok();
}

// Resource-based authorization
[HttpPost]
public async Task<IActionResult> EditDocument(int id)
{
    var document = _repo.Get(id);
    var result = await _authorizationService.AuthorizeAsync(User, document, "EditPolicy");

    if (!result.Succeeded) return Forbid();

    // Proceed...
}
```

**Tools:** Roslyn Analyzers, SonarQube