How will you handle Yahoo's recent authorization bug in your app?
This is with reference to http://thehackernews.com/2014/05/vulnerability-in-yahoo-websites-allows.html
Authentication normally has three steps:
1. Authenticating User : username, passwd verification i.e a valid yahoo user 2. Authorizing Action (role based access): whether user is allowed to perform the action i.e user is allowed to delete comments 3. Authorizing Entity : verify user owns the entity i.e user is allowed to delete only his comments.
How do you handle the third step in your application ? i think what we can do is to run static code analysis to ensure all public methods have the third level authentication written in it. However it won't solve problem of making mistakes in the db queries. would love to see other's answers here if we can come up with generic full-proof solution.