This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "User:Yehohanan7"
From OWASP
Yehohanan7 (talk | contribs) (New page: Access control enforced by presentation layer Definition: Enforcing access control in the presentation layer means that the developer does not show buttons and links for functions ...) |
Yehohanan7 (talk | contribs) |
||
Line 1: | Line 1: | ||
− | |||
− | Definition: | + | == Access control enforced by presentation layer == |
+ | |||
+ | |||
+ | [[Definition:]] | ||
Enforcing access control in the presentation layer means that the developer does not show buttons and links for functions and assets that are not authorized for the user | Enforcing access control in the presentation layer means that the developer does not show buttons and links for functions and assets that are not authorized for the user | ||
Line 9: | Line 11: | ||
The payment button will be not shown in the payment page if the holiday is already booked. | The payment button will be not shown in the payment page if the holiday is already booked. | ||
− | Attacks | + | [[Attacks]] |
− | + | Forced Browsing | |
− | Defense | + | [[Defense]] |
+ | |||
+ | Access control must be performed in the business layer, not only the presentation layer. | ||
+ | |||
− | |||
+ | ---- | ||
− | + | == Accidental leaking of sensitive information through data queries == |
Revision as of 09:32, 22 May 2008
Access control enforced by presentation layer
Enforcing access control in the presentation layer means that the developer does not show buttons and links for functions and assets that are not authorized for the user
Example in our application:
The payment button will be not shown in the payment page if the holiday is already booked.
Forced Browsing
Access control must be performed in the business layer, not only the presentation layer.