Webapp security: Different DB permissions for different requests

When a GET hits your server, your RESTful webapp should not alter the database. Why not enforce this at the permissions level?

GET should only be able to SELECT rows, and POST should be able to SELECT, UPDATE, and INSERT. (DELETE is up to your discretion. I prefer to flag rows for deletion and periodically run a script to archive or remove these rows.) Now, I'm sure you intend to follow this rule in your own webapp, but security isn't about intention. Let's make it impossible for a request to violate this rule!

$db_login = array(
	'GET' => array('webapp-view', 'pw-for-modifying'),
	'POST' => array('webapp-mod', 'pw-for-editing')
);

list($db_username, $db_auth) = $db_login[strtoupper($_SERVER['REQUEST_METHOD'])];

You might prefer to implement this using a switch-case block or some other technique, especially if you also allow HEAD, TRACE, DELETE, or PUT. But no matter how you implement it, laziness is no reason not to be using this in your webapp! It's just too easy.


Responses: 4 so far

  1. Cairnarvon says:

    Why not enforce this at the permissions level?

    Because it's a waste of time? I hope you don't think forcing the distinction between GET and POST passes for any kind of input validation.

    All you're really doing is adding a roadblock for yourself as a developer. One you generally shouldn't be running into if you're being consistent in your implementation, but one that's completely unnecessary when you do run into it.
    At best, this falls under "enforcing design principles purely for the sake of design principles". Very ENTERPRISE READY.

  2. Tim McCormack says:

    @Cairnarvon: I take it you have a similarly low opinion of assertions, preconditions, postconditions, and other design-by-contract mechanisms? Ever read up on CSRF? And did you know that you're not logged into your site anymore?

  3. Cairnarvon says:

    There's a good way to do design by contract, a lot of bad ways, and a huge number of meaningless ways. This would be an example of a meaningless way.

    And trust me, I know more about CSRF than you do, if you think it's harder to use POST than GET with it.

  4. Tim McCormack says:

    Don't be daft. Of course it's harder to use POST than GET. I know that forms can be auto-submitted in iframes, but it's easier to set up a CSS background-image-based attack in forums and other areas that get a lot more traffic. So yeah, from a layered security standpoint, it is advantageous to add these couple lines of code.