The function level access control is the type of access control that prevents the calling of functions by anonymous or unauthorized users. The lack of this kind of control is the seventh most critical security issue in Web applications according to OWASP.
In this recipe, we will see some recommendations to improve the access control of our applications at the function level.
Ensure that the workflow's privileges are correctly checked at every step.
Deny all access by default and then allow tasks after an explicit verification of authorization.
Users, roles, and authorizations should be stored in a flexible media, such as a database or a configuration file. Do not hardcode them.
Again, "Security through obscurity" is not a good posture to take.