{
    "slug": "authorization",
    "term": "Authorisation",
    "category": "security",
    "difficulty": "intermediate",
    "short": "The process of determining what an authenticated user is permitted to do — checking permissions, roles, or policies before allowing access to a resource or action.",
    "long": "Authorisation (authz) answers 'what can this user do?' — distinct from authentication ('who is this user?'). After a user authenticates, every protected action must check whether that user has permission. Authorisation models: RBAC (roles with permissions assigned to users — the most common PHP pattern); ABAC (attribute-based, evaluates resource + user + environment attributes); ACL (per-resource permission lists — flexible but hard to manage at scale). In PHP frameworks: Laravel uses Gates (closure-based checks) and Policies (model-specific classes with methods like view, create, update, delete — automatically mapped to controller actions via $this->authorize()); Symfony uses Voters (classes that implement the vote() method for granular attribute-based decisions). The most critical authorisation rule: check on every request, never rely on hiding UI elements as the only control — a hidden button is not an access control.",
    "aliases": [
        "authz",
        "authorisation",
        "access control",
        "permissions check",
        "policy",
        "Laravel policy",
        "Symfony voter"
    ],
    "tags": [
        "authorisation",
        "security",
        "rbac",
        "laravel",
        "symfony",
        "php",
        "permissions"
    ],
    "misconception": "Hiding a button or menu item in the UI is sufficient authorisation. UI-level hiding is cosmetic — any user can call the underlying route directly. Authorisation must be enforced server-side on every request, regardless of what the UI shows. A user who manually calls DELETE /posts/123 must be checked server-side even if the delete button was hidden from them in the frontend.",
    "why_it_matters": "Missing authorisation checks are the second most common web vulnerability (OWASP A01:2021 — Broken Access Control). A PHP controller action that fetches a resource without checking whether the authenticated user owns it allows any logged-in user to access any other user's data simply by changing the ID in the URL. This is Insecure Direct Object Reference (IDOR) — trivial to exploit, devastating in impact, and completely preventable with one authorisation check per action.",
    "common_mistakes": [
        "Checking authorisation only in the UI layer — always enforce server-side on every request.",
        "Using the authenticated user's ID from user input instead of the session — always read the user ID from the session, never from POST/GET parameters.",
        "Missing authorisation on API endpoints when the web routes are protected — both must be checked independently.",
        "Not testing authorisation — write tests that verify a user cannot access another user's resources."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "authentication",
        "rbac",
        "idor",
        "php_sessions"
    ],
    "prerequisites": [],
    "refs": [
        "https://laravel.com/docs/authorization",
        "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
    ],
    "bad_code": "// Missing authorisation — any user can view any order\nclass OrderController {\n    public function show(int $id): array {\n        return Order::findOrFail($id)->toArray();\n        // User 1 can access /orders/999 (belongs to user 2)\n    }\n}",
    "good_code": "// Authorisation check before returning data\nclass OrderController {\n    public function show(Order $order): array {\n        // Laravel Policy — checks order->user_id === auth()->id()\n        $this->authorize('view', $order);\n        return $order->toArray();\n    }\n}\n\n// OrderPolicy\nclass OrderPolicy {\n    public function view(User $user, Order $order): bool {\n        return $user->id === $order->user_id\n            || $user->hasRole('admin');\n    }\n}",
    "quick_fix": "In every controller action: $this->authorize('view', $resource) in Laravel, or denyAccessUnlessGranted('view', $resource) in Symfony — before returning any data",
    "severity": "critical",
    "effort": "low",
    "created": "2026-03-23",
    "updated": "2026-04-05",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/authorization",
        "html_url": "https://codeclaritylab.com/glossary/authorization",
        "json_url": "https://codeclaritylab.com/glossary/authorization.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Authorisation](https://codeclaritylab.com/glossary/authorization) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/authorization"
            }
        }
    }
}