Documentation Level: 
Introduction
Documentation Status: 
No known problems

Rethink your roles

When discussing site security we often use words like "attacker", "malicious user" or "untrusted" to define site visitors who may be intent on abusing resources, stealing, or altering data. Within Backdrop, visitors can achieve these goals using the permissions granted to their roles. This is the key component. We have to think of visitors in terms of what roles they have and what permissions we've granted those roles. Then instead of just thinking about trusted vs. untrusted users, we are thinking about trusted vs. untrusted roles.

On your site, which roles are trusted and which are untrusted? What permissions have you given to those roles? What permissions have you granted to the Anonymous role and thus to anonymous visitors? As you build and add features to your site you are also widening the available points for attack. If you have allowed users to create accounts without administrator approval you should also consider what permissions you've granted the Authenticated role. Can authenticated users create content or post comments without approval?

Know the defaults

Community contributed modules as a whole are more insecure than Backdrop core so it's especially important to be cautious about administrator permissions created by contributed modules. Role management can be burdensome so there are modules that grant roles to users upon account creation. Know the defaults, because most Security Advisories for contributed modules are because of cross-site scripting vulnerabilities and often exist on module administration screens where user-supplied data is not properly filtered. Whenever possible, utilize the principle of least privilege and give roles only the permissions they absolutely need. Grant those roles appropriately based on trust and what features need to be exposed for use.

"Super-permissions"

A few Backdrop permissions should never be added to untrusted roles, as they allow or open up full control of your site. These permissions are:

  • Administer filters
  • Administer users
  • Administer permissions
  • Administer content types
  • Administer site configuration

To help keep your site secure, rethink which roles are trusted and untrusted, then evaluate what roles are granted to which users.