Hello and welcome to the side. Very secure coding course. My name is Sonny. Where? And this is Boa's top 10 for 2013. A seven missing function level access controlled demo. Role based, restricted You are. Well,
this is the demo for a seven missing function level access control, and we're actually going to take a look at
the access control that's been placed around somebody's role
and the information that they can access.
So I'm starting here on the home page for Mattila Day. If you remember from a previous exercise, we were actually able to get to a PHP information page that provided a lot of details about
the version of PHP that's running the compiler, etcetera. A lot of information that
really should only be privy by administrators. And so we're going to actually go to that page, and I want you to note that this is that security level zero,
which is basically no security at all on. And so I'm gonna go ahead and go to that page
and notice that I'm not logged in or anything. And yet I am able to see ah, lot of information
configurations, information that really I should only be able to see as an administrator.
Now, I'm gonna go ahead and bump up the security too.
I'm actually going to move it from one all the way up to five.
So now, as I moved back up to security level five
and I tried access that page, I actually am denied access.
And I get this message that states secure sites do not expose administrative or configuration pages to the Internet. So this is good. It means the programmer has actually added in some protection in what information gets displayed. Now, if we take a look at the code,
what we can see here is this is the actual switch statement where we fall to the different cases according to the security level number.
security level zero and one, nothing is being done.
But once we fall to case five or security level five,
then we actually have this check being done
to ensure that we are an administrator.
So if is admin is equal to true.
Then it's going to show that PHP info page. Otherwise it's going to display
the message that we just saw.
So this is a good lesson, a real simple lesson on
how we need to ensure that particular functions have access control wrapped around them, and that usually comes in the form of checking rolls or individual accounts.