Access Control Patterns

When debugging this issue in Co-Authors-Plus plugin for WordPress, I’ve read relevant classes, functions, and hooks regarding roles and capabilities in WordPress core. That triggers my curiosity to get to know more about how to design access control for applications.

This post is not really a summary or research. It’s more a note of mine for articles I’ve collected.

As mentioned in this Wikipedia page, there are over 12 patterns. However, the most common are 3 following patterns:

• Discretionary Access Control (DAC)
• Mandatory Access control (MAC)
• Role-based Access Control (RBAC) – I will focus more on this pattern as it’s very popular in web development.

Good Articles

• Implementation for a specific case with RBAC – HR app from concept to research: https://medium.muz.li/how-to-design-access-control-system-for-saas-application-b6455c944186
• Good summary of different types of access control: https://transang.me/access-control/
• A paper giving a summary, pros, and cons of common models mentioned above https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.193.1280&rep=rep1&type=pdf
• A very good documentation from OWASP team regarding security and access control https://owasp.org/www-pdf-archive/ASDC12-Access_Control_Designs_and_Pitfalls.pdf

For the last one, there are some good things to remember:

• Give permissions to activities, not roles. For example, it should not present like this: A shop manager can edit products. It should be: A shop manager has the edit_product permission. To edit products, any user needs to have edit_product permission. This reduces errors and bring flexibility. For example, in the future, the business needs to have another role like Warehouse Staff. We just need to create this role and assign edit_product to it. The original code handles the editing product does not need to be changed.
• If we code to the role, we need to write more something like: A shop manager and a warehouse staff can edit products.
• Deny permission by default rather than accept by default.
• Never depend on untrusted data (aka provided by users).

WordPress in Specific!

WordPress follows the RBAC pattern:

• General guide (less technical) https://wordpress.org/support/article/roles-and-capabilities/
• Technical explanation and implementation https://developer.wordpress.org/plugins/users/roles-and-capabilities/
• Super deep dive and basically it covers everything I want to know https://kinsta.com/blog/wordpress-user-roles/