security – OWASP Broken Access Control by example: preventing user’s from reading/writing data that isn’t theirs

I have experience building RBAC-based authorization mechanisms, and understand the theory behind ACLs (DAC?) though I’ve never had the need to implement them.

A situation was just presented to me that I realize I have never thought about dealing with before, but absolutely should have. I believe OWASP refers to this problem as Broken Access Control, but the scenario is this:

User X should not be allowed to read/write certain data belonging to User Y.

So for instance, User X is a valid, authenticated user/principal in my system; and so is User Y.

Each user in the system has a “public profile” which consists of, say, 20+ tidbits of information about them that is safe to be shared with all other authenticated users. Things like: username, last login time, length of time they’ve been a user, their favorite food, etc.

However, certain information, such as their email, payment info, password, and perhaps other sensitive information should only be visible to the user for whom the information belongs to, and only on the appropriate screens, when they are logged in. Furthermore, no one other than them should ever be able to write new values for those pieces of data. So User X should never be able to update User Y’s email or password, etc.

Let’s say I have RESTful endpoints that allow users to fetch + update their data. So you might have:

  • GET /users/{userId}/profile : returns a JSON object with all their shareable “public” data
  • PUT /users/{userId}/email : updates a user’s email address with a new value

In the latter case, we need to restrict access to the endpoint in such a way that the requester can only be permitted to take the action if its for their own userId.

I’m wondering what the typical solution is for such a scenario?

Assume a JWT-based authentication mechanism where the user logs in, the backend generates a JWT for them, and they can then make calls to authenticated URLs using those JWTs. The JWTs can contain whatever claims they need in order to make the solution work!