[joosters]

Doesn't this show just how crappy the backend permissions must be in Facebook's code? Every new page needs to get the permissions checks exactly right, otherwise... Disaster. As an analogy, It's like the most stupidly-designed UNIX system, where each user program that opens a file runs as root and must remember to do a permissions check when opening a file, rather than centralising the permissions system in the kernel.

No-one would accept such a shoddy design in an OS, yet in today's web apps it is apparently standard practice...

[aristus]

Facebook's permissions model is very complex. Just imagine a case where Fanny comments on Alice's photo which is shared to a custom friends list, which contains Bert (Alice's friend), who Fanny put on her block list... and that's a simple example.

It has been proposed a number of times to put it all behind an API. I do not know if this has been finished yet. I remember an epic diff comment thread which only ended after the author defended her solution with a mathematical proof of correctness.

[amputect]

> I remember an epic diff comment thread which only ended after the author defended her solution with a mathematical proof of correctness.

Can you share anything more about this anecdote? I feel like there's a really interesting story there.

[aristus]

Not a lot that's public, but Mary P commented on this AMA:

https://www.reddit.com/r/IAmA/comments/1ydy0w/i_am_raylene_y...

[valisystem]

Well actually you can look at it exactly like a kernel, where the backend is the kernel and http clients are the processes, and access control is done at resource level access, by the kernel. The things is, you couldn't even model facebook access with unix perms, and if you've played with acl, I think you realize that the problem is not solely due basic soft architecture.

That said, Facebook should have addressed this problem seriously by now.

[joosters]

But Facebook permissions can be modelled. They may not be direct mappings to UNIX permissions or ACLs, but that's taking my OS analogy too literally. The point is, Facebook should have a shared component that does the permission checks, rather than giving each page global access and relying on the author to do the checks themselves.

[valisystem]

I deeply agree for the facebook case, I just wanted to point out that there is no known general solution for a centralized resource access control for web backend that will fit all use cases properly.

[MichaelGG]

That surprised me, too. I'd have thought they'd have an API for all this kind of stuff, so the front end page rendering part simply couldn't make these mistakes.

Maybe it was too limiting (slow dev) to have change two things anytime they needed different data? Or perhaps at one point there were performance concerns?

[eterm]

But facebook isn't an OS, and it's the kind of stuff that many developers aren't used to dealing with. It's the equivalent of saying that many desktop applications with server back-ends had leaky permissions.

The consequences are potentially far worse at facebook scale of course, but it's not like we as software developers generally have gone from understanding how to easily prevent these problems to an amnesiac state where we're suddenly careless.

[joosters]

Given the relentless appearance of this style of security bug in multiple Facebook pages, I think your description of a careless, amnesiac state is spot on.

[sneak]

Move fast and break things.

At least they're not a bank.

[Erwin]

In my app, I've been quite pleased with REST API endpoints mapping segments to objects the API will work on and explicitly declaring the permission before any page specific code runs.

So if you have an URL like /{username}/year/{year}/profile_lists you would in a declarative style, say that "username" must match an existing Facebook user ID, and that the page viewer must be able to view certain privacy related settings of the username. When your code runs, you get the current user, the username from the URL is mapped to another user object, year is mapped to an integer etc.

It's an error to declare an API which needs access to a resource without saying what type of access is required. In Facebook's case maybe I'd go one step further and create a proxy object for the user that codifies those rules. So if you ask for "view profile friend stats" access, and it's granted, the user object your function gets cannot start modifying things.

[bentcorner]

This is probably a symptom of the number of people employed at Facebook, lack of documentation, and that the entire app and related infrastructure is a (quickly) moving target.