31Eki
How should I interpret, "access controls on the presentation layer are enforced on the server side?
This question is with reference to the OWASP standard (Access control rules on the presentation layer are enforced on the server side - OWASP ASVS 3.0 - 4.9)
I'm trying to deeply understand what it means so that I can communicate it to a less-technical colleague.
I have considered one example - if the control isn't enforced then a web page that won't allow a user to change a password but does allow sending a php string which will force the change password functionality as the page is coded to change passwords.
I think that's a little tricky to understand and I don't think it is the best example.
Any suggestions on how best to interpret this? Any examples of not adhering to this standard?