Quiz Entry - updated: 2026.06.20
What is wrong with this authorization code?
@app.route('/<role>/dashboard')
def dashboard(role):
if role == 'admin':
return render_template('admin_dashboard.html')
elif role == 'user':
return render_template('user_dashboard.html')
else:
return "Invalid role!"
It takes the role straight from the URL path, so anyone can become admin just by browsing to /admin/dashboard — the role must come from the authenticated session, never from user input.
The role comes from the URL (user input), not from the authenticated session.
Attack: Any user can access admin dashboard by visiting:
/admin/dashboard
Fix:
@app.route('/dashboard')
def dashboard():
# Get role from authenticated session, not URL
role = session.get('user_role')
if role == 'admin':
return render_template('admin_dashboard.html')
elif role == 'user':
return render_template('user_dashboard.html')
else:
return "Unauthorized", 403
Rule: Never trust user input for authorization decisions. Always use server-side session data.