Broken Authorization in Apex
Play Apex Labs on this vulnerability with SecureFlag!
Apex can run in system contexts, without the current user’s permission taken into account, in the classes that are with the without sharing keyword in order to ensure that sharing rules are not enforced.
You can enforce these permissions in your SOQL queries by using WITH SECURITY_ENFORCED.
Field-level security
Even if the sharing rules are enabled, Apex doesn’t enforce the user’s permissions and field-level security by default.
You can enforce object-level and field-level permissions in your code by explicitly calling both the getDescribe methods and the field describe result methods that check the current user’s access permission levels.
In this way, you can verify if the current user has the necessary permissions, and only if they have sufficient permissions can you then perform a specific DML operation or a query.
For example, you can call the provided isAccessible, isCreateable, or isUpdateable , or isDeletable methods to check if the current user has permission on a specific element.
References
MITRE - CWE 285 - Improper Authorization
OWASP Top 10 2021 - Broken Access Control