GuardAPI Logo
GuardAPI

Fix BFLA (Broken Function Level Authorization) in Bottle

Broken Function Level Authorization (BFLA) in Bottle applications typically occurs when developers assume that hiding an administrative endpoint or checking for a valid session is sufficient. Hackers exploit this by predicting or discovering administrative routes and invoking them with low-privileged credentials. If your app verifies 'who' a user is (authentication) but fails to verify 'what' they are allowed to do (authorization) at the function level, you are vulnerable.

The Vulnerable Pattern

from bottle import route, request, HTTPError

@route(‘/api/admin/delete-account/<user_id>’, method=‘POST’)
def delete_account(user_id):
# VULNERABILITY: Checks if user is logged in, but not if they are an admin
session_id = request.get_cookie(‘session_id’)
if not session_id:
raise HTTPError(401, ‘Unauthorized’)


# Any logged-in user can hit this endpoint to delete any account
db.query('DELETE FROM users WHERE id = ?', (user_id,))
return {'status': 'deleted'}</code></pre>

The Secure Implementation

The fix involves implementing a centralized authorization decorator. In the secure snippet, the `require_admin` decorator intercepts the request before it reaches the sensitive logic. It fetches the user's role from a trusted server-side data store (not a client-side cookie) and enforces a strict Role-Based Access Control (RBAC) check. If the user lacks the 'admin' role, it returns a 403 Forbidden status, effectively preventing unauthorized function execution even if the attacker knows the URL.

from bottle import route, request, HTTPError
from functools import wraps

def require_admin(callback):
@wraps(callback)
def wrapper(*args, **kwargs):
session_id = request.get_cookie(‘session_id’)
user = db.get_user_by_session(session_id)


    # SECURE: Explicitly verify the 'admin' role before executing the function
    if not user or user.get('role') != 'admin':
        raise HTTPError(403, 'Forbidden: Admin access required')
        
    return callback(*args, **kwargs)
return wrapper


@route(‘/api/admin/delete-account/<user_id>’, method=‘POST’)
@require_admin
def delete_account(user_id):
db.query(‘DELETE FROM users WHERE id = ?’, (user_id,))
return {‘status’: ‘deleted’}

System Alert • ID: 2415
Target: Bottle API
Potential Vulnerability

Your Bottle API might be exposed to BFLA (Broken Function Level Authorization)

74% of Bottle apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X