Back to Security Pattern Catalog




Full Access with Errors


Classification Key : Core Security, Information Disclosure

Problem

Some user interfaces offer different options based on the privilege level of the user. The designer of such a user interface faces the challenge that the revelation of the complete interface can cause a problem because the user may not have rights to invoke all functionality. Even the access rights might not be known in advance. This problem generalizes to any interface you design whenever there are multiple modes of usage, such as different access rights. How do you present available functionality that might be partially inaccessible?

Solution

Design the application so users see everything that is available to them. When a user performs an operation, check if it is allowed. Generate error notifications if they try to access unauthorized operations.

Known Uses

Amazon lets the surfers view all the options. Authentication is required only before check-out.

Related Patterns

Limited Access, Policy Enforcement Point, Security Session

Source

Wiley Book

Tags

Access Control, User Interface, Authentication


 

Last modified: May 05, 2012

Conceived and Maintained by: Munawar Hafiz