The access control of an application must be properly implemented in order to restrict access to resources to authorized entities otherwise this could lead to vulnerabilities:
Granting correct permissions to users, applications, groups or roles and defining required permissions that allow access to a resource is sensitive, must therefore be done with care. For instance, it is obvious that only users with administrator privilege should be authorized to add/remove the administrator permission of another user.
There is a risk if you answered yes to any of those questions.
At minimum, an access control system should:
CakePHP
use Cake\Auth\BaseAuthorize;
use Cake\Controller\Controller;
abstract class MyAuthorize extends BaseAuthorize { // Sensitive. Method extending Cake\Auth\BaseAuthorize.
// ...
}
// Note that "isAuthorized" methods will only be detected in direct subclasses of Cake\Controller\Controller.
abstract class MyController extends Controller {
public function isAuthorized($user) { // Sensitive. Method called isAuthorized in a Cake\Controller\Controller.
return false;
}
}
This rule is deprecated, and will eventually be removed.