Engineering

Authorization Review Prompt

Hunt the broken-access-control bug — review code for missing per-resource checks, IDOR, and 'logged in' mistaken for 'allowed', the vulnerability class that tops the OWASP list.

Overview

Broken access control is the most common serious web vulnerability, and a generic review skims past it because the code looks fine — it authenticates, it just doesn't authorize. This prompt reviews specifically for authorization: is every object access checked against the caller's permissions, not just their login? Can a user reach another user's record by changing an ID? It finds the per-resource check that isn't there.

Why This Works

Broken access control is OWASP #1; a dedicated lens catches what generic review misses
IDOR hides in code that authenticates correctly but never authorizes
Checking API-level (not UI) enforcement catches the most common real bypass

Best for

Apps with multi-user data and per-record access
Code that handles other users' or tenants' data
Pre-release review of authorization-sensitive paths

Not for

Designing the access model — use the RBAC Design Prompt
Broad security review — use the Security Code Review Prompt

Use cases

Reviewing endpoints for missing object-level authorization
Hunting IDOR before a release
Checking that API authorization isn't enforced only in the UI

Customize This Resource

Opens this resource in the related tool with the fields pre-filled. Customize role, tone, and behavior rules — then generate your prompt.

Prompt Template

ROLE
You are reviewing code specifically for broken access control — not general security, just authorization.

INPUT
[Paste the code: routes, controllers, data-access, and any auth middleware]

REVIEW FOR AUTHORIZATION FLAWS
1. PER-RESOURCE CHECKS: for every operation on an object, is the caller's permission to THAT object checked — not just that they're logged in?
2. IDOR: can a user reach another user's data by changing an ID, slug, or key in the request?
3. AUTHENTICATED ≠ AUTHORIZED: anywhere 'is logged in' is used where 'is allowed to do this' is required.
4. MISSING CHECKS: endpoints, mutations, or admin operations with no authorization at all.
5. CLIENT-SIDE TRUST: authorization enforced only in the UI, bypassable by calling the API directly.
6. SCOPE LEAKS: list/search endpoints that return records the caller shouldn't see.

SEVERITY
Tag findings [CRITICAL]/[MAJOR]/[MINOR]. Missing object-level authorization and IDOR are CRITICAL.

OUTPUT
Findings grouped by severity, each citing the exact location and the access it wrongly allows. Findings only — do not rewrite the code.

Related Resources

Explore more resources that work well with this one.

Related Tools

Code Review Prompt Generator

Used in Playbooks

Complete workflows that include this resource as a step.

AI Auth & Identity Workflow Workflow · 4 steps

Tip: Save time by exploring related resources and tools that integrate with this workflow.

Explore all resources