Application-Layer RBAC Enforcement
Description
Enforce role-based access control within the application by mapping each user to a set of roles, each role to a set of permissions, and verifying the caller holds the required permission before executing any privileged operation. Authorization checks run as middleware or decorators on every privileged API endpoint, evaluated after authentication and before business logic. Role assignments follow least privilege — users receive the minimum role needed for their function. Prevents authenticated users from accessing administrative functions, modifying other users' data, or escalating their own privileges through direct API calls.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Privileges Required (PR) | L → H | An attacker with any authenticated session is blocked from privileged operations; exploitation requires compromise of a specifically privileged role. The mechanism is the per-endpoint role verification gate that rejects requests from insufficiently privileged callers before business logic executes. |
| Integrity (I) | H → L | Write operations are confined to the caller's authorized scope; modification of resources outside the caller's role permissions is rejected before execution, limiting integrity impact to the attacker's own authorized data. |
CWE Relationships
Verification
Inspect application source for role-based authorization checks on privileged endpoints; test that unprivileged authenticated users receive 403 on admin endpoints
# Expected: Authorization decorators or middleware present on privileged endpoint handlers
# Expected: 403