LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

What is wrong with this authorization code?

@app.route('/<role>/dashboard')
def dashboard(role):
    if role == 'admin':
        return render_template('admin_dashboard.html')
    elif role == 'user':
        return render_template('user_dashboard.html')
    else:
        return "Invalid role!"

It takes the role straight from the URL path, so anyone can become admin just by browsing to /admin/dashboard — the role must come from the authenticated session, never from user input.

The role comes from the URL (user input), not from the authenticated session.

Attack: Any user can access admin dashboard by visiting: /admin/dashboard

Fix:

@app.route('/dashboard')
def dashboard():
    # Get role from authenticated session, not URL
    role = session.get('user_role')
    if role == 'admin':
        return render_template('admin_dashboard.html')
    elif role == 'user':
        return render_template('user_dashboard.html')
    else:
        return "Unauthorized", 403

Rule: Never trust user input for authorization decisions. Always use server-side session data.

From Quiz: SPRG / Authorization | Updated: Jun 20, 2026