--- title: Enforce Authorization At Trusted Service Layer impact: CRITICAL impactDescription: prevents client-side authorization bypass and unauthorized access tags: authorization, server-side, middleware, access-control, security, php --- ## Enforce Authorization At Trusted Service Layer Client-side authorization (e.g., hiding a button in JavaScript) is a UI enhancement only and can be easily bypassed by an attacker using the browser console or intercepting network requests. All access control checks must be enforced on the server-side, using trusted data from the authenticated session. **Incorrect (client-side or trusting client-provided state):** ```php // 1. Trusting a hidden field or POST data for permissions function deleteUser($userId) { if ($_POST['is_admin'] == '1') { // VULNERABLE: Client can send is_admin=1 DB::table('users')->where('id', $userId)->delete(); } } // 2. Trusting a role stored in a cookie (that is not a secure session) if ($_COOKIE['role'] === 'admin') { // ... } ``` **Correct (server-side authorization):** ```php // 1. Using Middleware (Laravel example) Route::delete('/users/{id}', [UserController::class, 'destroy']) ->middleware('can:delete-users'); // Server-side check via Policy/Gate // 2. Explicit checking in Controller against session user public function destroy($id) { $user = Auth::user(); // Trusted data from session // Using a Policy (Recommended) if ($user->cannot('delete', User::find($id))) { abort(403, 'Unauthorized action.'); } // ... delete logic } // 3. Using Symfony Voters // $this->denyAccessUnlessGranted('POST_EDIT', $post); ``` **Never trust:** - Client-side checks (JavaScript logic). - Hidden form fields or request body parameters for defining user "roles" or "powers". - URL parameters for access control (e.g. `?is_admin=true`). - Browser storage (LocalStorage/SessionStorage) for authorization state. **Tools:** Laravel Middleware/Gates/Policies, Symfony Voters, PHPUnit (testing auth logic), SonarQube