Permission and Authorization Bugs

Admin Page Accessible by Direct URL

An admin-only page is hidden from the navigation for normal users, but the route itself has no server-side authorization. A non-admin who navigates directly to the admin URL can load the page and, often, perform admin actions — because access control was applied to the menu, not the route or its APIs.

CriticalBeginnerSecurity testingManual testingAPI testing

// UNDERSTAND

// Symptoms

  • A normal user who types the admin URL directly sees the admin page
  • The admin link is hidden in the menu but the page still renders for non-admins
  • Admin API calls succeed when replayed by a non-admin user
  • Only the front-end route guard exists; refreshing or deep-linking bypasses it

// Root Cause

  • Authorization is enforced by hiding the navigation link, not by guarding the route
  • Client-side route guards only — no server-side role check on the page data or APIs
  • Admin endpoints assume the caller is an admin because the UI is admin-only
  • Role checks missing on individual admin actions

// Where It Appears

  • Admin dashboards and back-office tools
  • Settings, user-management and billing pages
  • Feature-flag and configuration screens
  • Any route shown conditionally based on role

// REPRODUCE & TEST

// How to Reproduce

  1. 01Log in as a normal (non-admin) test user
  2. 02Navigate directly to a known admin URL (e.g. /admin or /settings/users)
  3. 03Confirm whether the page loads and renders admin data
  4. 04Attempt an admin action and capture the API request
  5. 05Replay the admin API request with the non-admin token and confirm whether it succeeds

// Test Data Needed

  • A normal user account and knowledge of an admin route
  • An admin account (to learn the admin URL and API shape in scope)
  • Browser developer tools or an API client to replay requests

// Manual Testing Ideas

  • Deep-link to admin routes as a non-admin and after a page refresh
  • Replay an admin action's API request with a non-admin token
  • Downgrade a user from admin to normal and confirm admin routes stop working immediately
  • Check that both the page data and each action enforce the role server-side

// API Testing Ideas

  • Call each admin endpoint with a normal-user token and assert 403
  • Call admin endpoints with no token and assert 401
  • Confirm a former admin's token cannot reach admin endpoints after a role change

// Automation Idea

Maintain a list of admin routes/endpoints and a non-admin token; automate a check that every one returns 401/403 for the non-admin. Run it on every release — broken access control regressions are cheap to catch this way.

// Expected Result

Admin pages and APIs enforce the admin role on the server for both page data and every action. A non-admin who deep-links to an admin route is redirected or refused (401/403), regardless of the navigation.

// Actual Result (Example)

A normal user opens /admin/users directly and the page loads with the full user list; replaying the delete-user request with their token returns 200.

// REPORT IT

Example Bug Report

Title
Non-admin can open /admin/users by direct URL and call admin APIs
Severity
Critical
Environment
Staging · build 2026.06.03 · Chrome 126
Steps to Reproduce
  1. 01Log in as a normal (non-admin) user
  2. 02Navigate directly to /admin/users
  3. 03Replay the user-list and delete-user API requests with the non-admin token
Expected Result
The route and APIs return 401/403 for a non-admin.
Actual Result
The page renders the full user list and the admin API requests return 200.
Impact
Any authenticated user can reach admin functionality and perform privileged actions — a critical broken-access-control issue.

// RELATED

// Interview Questions

// Related Bugs

Hidden UI Action Still Works Through API

Permission and Authorization Bugs

High

User Can Access Another User's Object

Permission and Authorization Bugs

Critical