Comment by tmpz22
2 years ago
Holy shit why is this even a question?? You. Write. Tests.
You build into your testing framework/library a mechanism that will craft sessions across your range of authentication-levels - unauthenticated (no-session), authenticated but unauthorized, etc. You mandate new endpoints must have permissions test in code review.
Simple, straight forward, and absolutely the bare minimum of competency for any endpoint returning personal data.
And then someone forgets to test that one thing for that one endpoint and no one notices ("mandate in code review" is not going to be fool-proof), or lines get crossed and they test the wrong thing.
This kind of arrogance is exactly how these mistakes get made.