CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Authorisation

security PHP 7.0+ Intermediate

Also Known As

authz authorisation access control permissions check policy Laravel policy Symfony voter

TL;DR

The process of determining what an authenticated user is permitted to do — checking permissions, roles, or policies before allowing access to a resource or action.

Explanation

Authorisation (authz) answers 'what can this user do?' — distinct from authentication ('who is this user?'). After a user authenticates, every protected action must check whether that user has permission. Authorisation models: RBAC (roles with permissions assigned to users — the most common PHP pattern); ABAC (attribute-based, evaluates resource + user + environment attributes); ACL (per-resource permission lists — flexible but hard to manage at scale). In PHP frameworks: Laravel uses Gates (closure-based checks) and Policies (model-specific classes with methods like view, create, update, delete — automatically mapped to controller actions via $this->authorize()); Symfony uses Voters (classes that implement the vote() method for granular attribute-based decisions). The most critical authorisation rule: check on every request, never rely on hiding UI elements as the only control — a hidden button is not an access control.

Common Misconception

Hiding a button or menu item in the UI is sufficient authorisation. UI-level hiding is cosmetic — any user can call the underlying route directly. Authorisation must be enforced server-side on every request, regardless of what the UI shows. A user who manually calls DELETE /posts/123 must be checked server-side even if the delete button was hidden from them in the frontend.

Why It Matters

Missing authorisation checks are the second most common web vulnerability (OWASP A01:2021 — Broken Access Control). A PHP controller action that fetches a resource without checking whether the authenticated user owns it allows any logged-in user to access any other user's data simply by changing the ID in the URL. This is Insecure Direct Object Reference (IDOR) — trivial to exploit, devastating in impact, and completely preventable with one authorisation check per action.

Common Mistakes

  • Checking authorisation only in the UI layer — always enforce server-side on every request.
  • Using the authenticated user's ID from user input instead of the session — always read the user ID from the session, never from POST/GET parameters.
  • Missing authorisation on API endpoints when the web routes are protected — both must be checked independently.
  • Not testing authorisation — write tests that verify a user cannot access another user's resources.

Code Examples

✗ Vulnerable 
// Missing authorisation — any user can view any order
class OrderController {
    public function show(int $id): array {
        return Order::findOrFail($id)->toArray();
        // User 1 can access /orders/999 (belongs to user 2)
    }
}
✓ Fixed 
// Authorisation check before returning data
class OrderController {
    public function show(Order $order): array {
        // Laravel Policy — checks order->user_id === auth()->id()
        $this->authorize('view', $order);
        return $order->toArray();
    }
}

// OrderPolicy
class OrderPolicy {
    public function view(User $user, Order $order): bool {
        return $user->id === $order->user_id
            || $user->hasRole('admin');
    }
}
Added 23 Mar 2026
Edited 5 Apr 2026
Views 35

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 3 pings W 0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 1 ping W 2 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T
Agents 0
No pings yet today
Amazonbot 9 Perplexity 8 Google 3 Ahrefs 2 SEMrush 2 ChatGPT 1
Also referenced
Insecure Direct Object Reference (IDOR) 29 Authentication 23 Role-Based Access Control (RBAC) 23 PHP Sessions 20
How they use it
crawler 24 crawler_json 1
Related categories
php 6.3k security 4k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Low
⚡ Quick Fix
In every controller action: $this->authorize('view', $resource) in Laravel, or denyAccessUnlessGranted('view', $resource) in Symfony — before returning any data
📦 Applies To
PHP 7.0+ web cli
✓ schema.org compliant