Fix BFLA (Broken Function Level Authorization) in Flask

BFLA (Broken Function Level Authorization) is the low-hanging fruit for any pentester. It happens when developers assume that hiding a button in the UI is a security control. If your API endpoints don't explicitly verify that the current user has the required 'Role' or 'Permission' to execute that specific function, you're inviting vertical privilege escalation. Authenticated != Authorized.

The Vulnerable Pattern

@app.route('/api/v1/system/shutdown', methods=['POST'])
@login_required
def shutdown_server():
    # VULNERABILITY: This function only checks if the user is logged in.
    # Any registered user (guest, support, etc.) can hit this endpoint
    # and take the system offline.
    os.system('shutdown now')
    return {'status': 'shutting down'}, 200

The Secure Implementation

The fix implements a custom decorator `require_role` that acts as a gatekeeper. While `@login_required` ensures we know WHO the user is, `@require_role('ADMIN')` ensures they have the RIGHT to execute the function. By checking the user's role against an allow-list before the function body executes, we mitigate BFLA. Always default to 'Deny All' and explicitly permit roles for sensitive administrative or destructive operations.

from functools import wraps
from flask import abort, g
def require_role(role):
def decorator(f):
@wraps(f)
def wrapped(*args, **kwargs):
# SECURE: Explicitly check the user’s role attribute
if not g.user or g.user.role != role:
abort(403)  # Forbidden access
return f(*args, **kwargs)
return wrapped
return decorator
@app.route(‘/api/v1/system/shutdown’, methods=[‘POST’])
@login_required
@require_role(‘ADMIN’)
def shutdown_server():
os.system(‘shutdown now’)
return {‘status’: ‘shutting down’}, 200