+
+\noindent
+The \CMS{} has the following access control mechanisms:
+
+\begin{itemize}
+ \item A login mechanism, where logged in users are allowed to access the backend, and anonymous users are not.
+ \item For logged in users, a role system with three specified roles: admin, editor and regular user.
+ \item Different users (cap.~diff?)
+\end{itemize}
+
+\noindent
+Some typical objects of access control, in this case, are:
+
+\begin{itemize}
+ \item Database records
+ \item Editing capabilities
+ \item Role privileges
+ \item Folders, files, info over these data
+\end{itemize}
+
+Our check reveales that the access control mechanisms are basically only a stub, and haven't been developed to their usually implied meaning, thus flattening the access control to the single ascept of being logged in or not. Hence, the main remaining security consideration deal with whether this login mechanism protects `backend' objects from anonymous users.
+
+These are the results of our check:
+
+\begin{enumerate}[label={V4.\arabic*}]
+
+% Access controls:
+% - principle of least privilege?
+% - inter-role/context safety
+% - fail safely?
+% - presentation -- server side
+% - cannot be manipulated
+% - onion layers
+% - safe/working auth in place