MB-R094
Custom controllers, REST routes, GraphQL resolvers, and admin actions must enforce authorization before exposing account, order, customer, or configuration data. Missing ACL checks create broken access control vulnerabilities that can leak sensitive data or permit unauthorized state changes. Validate use of Magento ACL resources, customer ownership checks, and explicit authorization guards.
Custom Magento controllers, REST routes, GraphQL resolvers, and admin actions can accidentally expose sensitive data when they rely only on hidden UI links or route obscurity. Attackers can call endpoints directly.
Explicit authorization checks ensure that only allowed users, roles, or customers can read data or change state.
grep -RIE "class .*Controller|webapi.xml|schema.graphqls" app/code 2>/dev/null
# Check for ACL, customer session, ownership, or authorization guard usage
# Call endpoint as anonymous user, wrong customer, and low-privilege admin
# Expected: denied unless explicitly authorized
public function execute() {
return $this->json($this->orderRepository->get($orderId));
}
# No auth or ownership check → FAIL
if (!$this->authorization->isAllowed("Vendor_Module::orders")) {
return $this->deny();
}
# Authorization checked before data access → PASS