An Access Control Model is essentially just a way to manage what files and areas of a system the user and admin (and other roles) have access to.
Examples of bad access control:
- a paywall thats easily bypassable.
- here the problem is that a non authenticated user can view the page in full even though he is supposed to pay/login.
- a login website where you can bypass the login.
- Issues here would be that you can access sensitive information you probably shouldn’t.
- Unprotected/not secured apis.
- if you are able to call an api you shouldn’t, then you can do things that arent intended. a great example of this is when an ai company forgot to project the api for their large langage model, so you could just query that api without needing to pay.