Fix BFLA (Broken Function Level Authorization) in Camping

BFLA (Broken Function Level Authorization) in Camping occurs when sensitive controller actions are exposed without verifying the requester's privilege level. In microframeworks like Camping, it's easy to assume that 'hidden' routes are safe, but security by obscurity is a fail. If an attacker can guess or discover your administrative endpoints, and you haven't implemented server-side authorization checks, your app is pwned.

The Vulnerable Pattern

module CampingApp::Controllers
  class AdminDeleteUser < R '/admin/delete/(\d+)'
    def get(user_id)
      # VULNERABLE: No authorization check.
      # Any authenticated (or even unauthenticated) user can hit this endpoint.
      User.find(user_id).destroy
      redirect Index
    end
  end
end

The Secure Implementation

The vulnerability stems from relying on the UI to hide links rather than enforcing access control on the server. To fix this, you must implement a server-side check within the controller (or a helper method) that validates the user's role against the required permission level for that specific function. In Camping, use the `@state` object to track the current user and ensure every administrative route explicitly rejects unauthorized sessions with a 403 Forbidden status.

module CampingApp::Controllers
  class AdminDeleteUser < R '/admin/delete/(\d+)'
    def get(user_id)
      # SECURE: Verify session state and role before execution
      if @state.user_id && User.find(@state.user_id).admin?
        User.find(user_id).destroy
        redirect Index
      else
        @status = 403
        return "Access Denied: Administrative privileges required."
      end
    end
  end
end