---
title: Ensure Proper Server-Side Authorization
impact: CRITICAL
impactDescription: prevents unauthorized access to resources and data
tags: security, authorization, access-control, quality
---

## Ensure Proper Server-Side Authorization

Always verify that the current user has permission to perform the requested action on the specific resource. Do not rely solely on authentication.

**Incorrect (missing authorization):**

```ruby
def show
  @post = Post.find(params[:id])
  # No check if @post belongs to current_user
end
```

**Correct (using Pundit or CanCanCan):**

```ruby
# Using Pundit
def show
  @post = Post.find(params[:id])
  authorize @post # Checks PostPolicy#show?
end

# Using scopes
def index
  @posts = policy_scope(Post) # Only returns posts user can see
end
```

**Tools:** Brakeman, Pundit, CanCanCan
---