Back to Security Pattern Catalog
Full Access with Errors
: Core Security, Information Disclosure
Some user interfaces offer different options based on the privilege level of the user. The designer of such a user interface faces the challenge that the revelation of the complete interface can cause a problem because the user may not have rights to invoke all functionality. Even the access rights might not be known in advance. This problem generalizes to any interface you design whenever there are multiple modes of usage, such as different access rights.
How do you present available functionality that might be partially inaccessible?
Design the application so users see everything that is available to them. When a user performs an operation, check if it is allowed. Generate error notifications if they try to access unauthorized operations.
Amazon lets the surfers view all the options. Authentication is required only before check-out.
Limited Access, Policy Enforcement Point, Security Session
Access Control, User Interface, Authentication
Last modified: May 05, 2012
and Maintained by: Munawar Hafiz