# Improper Privilege Management (CWE-269) The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. **Stack:** Python - Prevalence: उच्च बार-बार शोषित - Impact: उच्च 2 उच्च गंभीरता वाले नियम - Prevention: प्रलेखित 2 फिक्स उदाहरण **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description When privileges are not properly managed, users may gain access to resources or functionality they should not have. This includes privilege escalation and improper role assignment. ## Prevention ### Python Create users with least-privilege defaults and require explicit admin action for privilege elevation Use permission decorators to verify user roles before any privilege modification ## Warning Signs - [HIGH] user creation flows that assign elevated privileges by default - [HIGH] privileged operations like role modification without verifying user permissions ## Consequences - विशेषाधिकार प्राप्त करना - एप्लिकेशन डेटा पढ़ना - एप्लिकेशन डेटा संशोधित करना ## Mitigations - न्यूनतम विशेषाधिकार के सिद्धांत को लागू करें - उपयोगकर्ता विशेषाधिकारों का नियमित ऑडिट करें - भूमिका-आधारित पहुँच नियंत्रण (RBAC) का उपयोग करें ## Detection - Total rules: 2 - Languages: python ## Rules by Language ### Python (2 rules) - **Default Privilege Assignment in User Creation** [HIGH]: Detects user creation flows that assign elevated privileges by default. - Remediation: Default user creation to unprivileged (is_staff=False). ```python User.objects.create_user(username=data['username'], password=data['password']) ``` Learn more: https://shoulder.dev/learn/python/cwe-269/default-privilege-assignment - **Missing Role/Permission Checks** [HIGH]: Detects privileged operations like role modification without verifying user permissions. - Remediation: Use permission decorators to verify user roles before privileged operations. ```python @permission_required('auth.change_user', raise_exception=True) def promote_user(request, user_id): # Only users with permission reach here ``` Learn more: https://shoulder.dev/learn/python/cwe-269/privilege-escalation