The function level access control is the type of access control that prevents the calling of functions by anonymous or unauthorized users. The lack of this kind of control is the seventh most critical security issue in Web applications according to OWASP.
In this recipe, we will see some recommendations to improve the access control of our applications at the function level.
It is not uncommon that the developers check for authorization only at the beginning of a workflow and assume that the following tasks will be authorized for the user. An attacker may try to call a function, which is an intermediate step of the flow and achieve it due to a lack of control.
About privileges, denying all by default is a best practice. If we don't know if some users are allowed to execute some function, then they are not. Turn your privilege tables into grant tables. If there is no explicit grant for some user on some function, deny any access.
When building or implementing an access control mechanism for your application's functions, store all the grants in a database or in a configuration file (a database is a better choice). If user roles and privileges are hardcoded they become harder to maintain and to change or update.