# Improper Privilege Management (CWE-269)

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

- Prevalence: 높음 자주 악용됨
- Impact: 높음 2개의 높은 심각도 규칙
- Prevention: 문서화됨 2개의 수정 예시

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

When privileges are not properly managed, users may gain access to resources or functionality they should not have. This includes privilege escalation and improper role assignment.

## Prevention

### Python

Create users with least-privilege defaults and require explicit admin action for privilege elevation

Use permission decorators to verify user roles before any privilege modification

## Warning Signs

- [HIGH] user creation flows that assign elevated privileges by default
- [HIGH] privileged operations like role modification without verifying user permissions

## Consequences

- 권한 획득
- 애플리케이션 데이터 읽기
- 애플리케이션 데이터 수정

## Mitigations

- 최소 권한 원칙을 적용하세요
- 사용자 권한을 정기적으로 감사하세요
- 역할 기반 접근 제어(RBAC)를 사용하세요

## Detection

- Total rules: 2
- Languages: python

## Rules by Language

### Python (2 rules)

- **Default Privilege Assignment in User Creation** [HIGH]: Detects user creation flows that assign elevated privileges by default.
  - Remediation: Default user creation to unprivileged (is_staff=False).

```python
User.objects.create_user(username=data['username'], password=data['password'])
```

Learn more: https://shoulder.dev/learn/python/cwe-269/default-privilege-assignment
- **Missing Role/Permission Checks** [HIGH]: Detects privileged operations like role modification without verifying user permissions.
  - Remediation: Use permission decorators to verify user roles before privileged operations.

```python
@permission_required('auth.change_user', raise_exception=True)
def promote_user(request, user_id):
    # Only users with permission reach here
```

Learn more: https://shoulder.dev/learn/python/cwe-269/privilege-escalation