← Back to Baseline

MB-R094

Authorization checks on custom controllers and APIs

C03 Secure Coding Practices High

Custom controllers, REST routes, GraphQL resolvers, and admin actions must enforce authorization before exposing account, order, customer, or configuration data. Missing ACL checks create broken access control vulnerabilities that can leak sensitive data or permit unauthorized state changes. Validate use of Magento ACL resources, customer ownership checks, and explicit authorization guards.

Why it Matters

Custom Magento controllers, REST routes, GraphQL resolvers, and admin actions can accidentally expose sensitive data when they rely only on hidden UI links or route obscurity. Attackers can call endpoints directly.

Explicit authorization checks ensure that only allowed users, roles, or customers can read data or change state.

Verification Steps

Route and controller review

grep -RIE "class .*Controller|webapi.xml|schema.graphqls" app/code 2>/dev/null
# Check for ACL, customer session, ownership, or authorization guard usage

Direct request test

# Call endpoint as anonymous user, wrong customer, and low-privilege admin
# Expected: denied unless explicitly authorized

Remediation / Fix Guidance

  1. Add ACL resources for admin controllers and web APIs.
  2. Check customer authentication and ownership before returning customer/order/cart data.
  3. Deny by default when authorization context is missing.
  4. Add integration tests for anonymous, wrong-user, and authorized-user cases.
  5. Review custom modules whenever new endpoints are introduced.

Examples

Fail Example
public function execute() {
    return $this->json($this->orderRepository->get($orderId));
}
# No auth or ownership check → FAIL
Pass Example
if (!$this->authorization->isAllowed("Vendor_Module::orders")) {
    return $this->deny();
}
# Authorization checked before data access → PASS

References