Fix BFLA (Broken Function Level Authorization) in CodeIgniter

BFLA (Broken Function Level Authorization) in CodeIgniter occurs when the application exposes sensitive administrative or internal functions to unauthorized users. Attackers simply manipulate the URL or request parameters to access endpoints that should be restricted by roles. If your controller doesn't verify that the current session has the 'admin' bit flipped before executing a 'delete' or 'update' action, you're wide open.

The Vulnerable Pattern

class User extends \CodeIgniter\Controller {
    public function delete($id) {
        // VULNERABILITY: No check to see if the requester is an admin.
        // Any authenticated (or even unauthenticated) user can hit /user/delete/10
        $model = new \App\Models\UserModel();
        $model->delete($id);
        return "User deleted";
    }
}

The Secure Implementation

The vulnerable code assumes that because a function isn't linked in the UI, it's safe. However, an attacker can directly call the URI. The fix involves implementing a mandatory authorization check. In CodeIgniter 4, the 'hacker-proof' way is using Filters to intercept requests at the routing level, ensuring the session contains the correct authorization claims before the controller logic even executes. This prevents BFLA by decoupling authorization logic from business logic.

class User extends \CodeIgniter\Controller {
    public function delete($id) {
        $session = session();
    // SECURE: Explicitly check for 'admin' role before execution
    if (!$session->get('is_admin')) {
        return $this->response->setStatusCode(403)->setBody('Access Denied');
    }

    $model = new \App\Models\UserModel();
    if ($model->delete($id)) {
        return "User deleted";
    }
}
}
// BETTER: Use CI4 Filters (app/Config/Filters.php)
public $filters = [
‘adminOnly’ => [‘before’ => [‘admin/’, ‘user/delete/’]],
];