Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP0 — correctness, security, data loss, prod-impactingScopeUniversal — language-agnostic, broadly applicable

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

backend ruleP0universalStack: node

securityauthzrolesbflaowasp-api-top10

Enforce function-level authorization (BFLA) with deny-by-default

Every endpoint must check role/permission for the action; do not rely on URL conventions to separate admin vs user functions.

Created: Feb 10, 2026

Bad example

Old codets

1	`app.post('/invites/new', async (req, res) => {`
2	`// BAD: no admin check`
3	`const invite = await db.invite.create({ data: { email: req.body.email, role: req.body.role } });`
4	`res.json(invite);`
5	`});`
6
7	`app.get('/users/all', async (req, res) => {`
8	`// BAD: exposed administrative listing`
9	`const users = await db.user.findMany();`
10	`res.json(users);`
11	`});`

Explanation (EN)

If privileged endpoints lack role/permission checks, regular users can call them directly, guess URLs, or switch HTTP methods to perform unauthorized actions.

Objašnjenje (HR)

Ako privilegirani endpoint-i nemaju role/permission provjere, obični korisnici ih mogu zvati direktno, pogađati URL-ove ili mijenjati HTTP metode za neautorizirane akcije.

Good example

New codets

1	`function requireRole(role: 'admin' \| 'staff') {`
2	`return (req, res, next) => {`
3	`if (!req.auth?.roles?.includes(role)) return res.status(403).json({ message: 'Forbidden' });`
4	`next();`
5	`};`
6	`}`
7
8	`app.post('/invites/new', requireRole('admin'), async (req, res) => {`
9	`const invite = await db.invite.create({ data: { email: req.body.email, role: req.body.role } });`
10	`res.json(invite);`
11	`});`
12
13	`app.get('/users/all', requireRole('admin'), async (req, res) => {`
14	`const users = await db.user.findMany({ select: { id: true, email: true, createdAt: true } });`
15	`res.json(users);`
16	`});`

Explanation (EN)

Centralize authorization and apply it to every endpoint. Deny by default and require explicit grants for each privileged action.

Objašnjenje (HR)

Centraliziraj autorizaciju i primijeni je na svaki endpoint. Deny by default i zahtijevaj eksplicitne dozvole za svaku privilegiranu akciju.

Notes (EN)

Do not assume an endpoint is admin-only based on path. Ensure regular controllers cannot perform admin actions without checks. Consider policy-based access control (RBAC/ABAC) and consistent middleware.

Bilješke (HR)

Nemoj pretpostaviti da je endpoint admin-only na temelju patha. Osiguraj da regular controller ne može raditi admin akcije bez provjera. Razmisli o policy-based kontroli pristupa (RBAC/ABAC) i konzistentnom middlewareu.

Login required