GuardAPI Logo
GuardAPI

Fix BFLA (Broken Function Level Authorization) in Hanami

BFLA occurs when your Hanami app fails to verify if a user has the appropriate authorization level to execute a specific function. Just because a user is authenticated doesn't mean they should be able to hit your administrative or sensitive endpoints. Attackers will enumerate your routes, find functions like /admin/users/delete, and execute them by simply swapping their session token. If you aren't checking roles at the action level, you're pwned.

The Vulnerable Pattern

module Admin
  module Actions
    module Users
      class Destroy < Admin::Action
        # VULNERABLE: No authorization check.
        # Anyone with a valid session can hit this endpoint.
        def handle(request, response)
          user_id = request.params[:id]
          repo = UserRepository.new
          repo.delete(user_id)
          response.status = 204
        end
      end
    end
  end
end

The Secure Implementation

To kill BFLA in Hanami, you must implement explicit authorization logic. The fix uses a 'before' hook to intercept the request before it hits the handler. We retrieve the 'current_user' (usually populated by a previous authentication middleware) and verify their 'role' attribute. If the user is not an admin, we immediately 'halt' with a 403 Forbidden status. For complex apps, use a dedicated authorization library like 'CanCanCan' or 'Pundit' integrated into your base Action class to enforce RBAC/ABAC consistently across all functional layers.

module Admin
  module Actions
    module Users
      class Destroy < Admin::Action
        before :authorize_admin!

    def handle(request, response)
      user_id = request.params[:id]
      UserRepository.new.delete(user_id)
      response.status = 204
    end

    private

    def authorize_admin!(request, response)
      # SECURE: Verify both identity AND functional scope
      current_user = request.env[:current_user]
      unless current_user && current_user.role == 'admin'
        halt 403, { error: 'Forbidden: Insufficient Permissions' }.to_json
      end
    end
  end
end


end
end

System Alert • ID: 4301
Target: Hanami API
Potential Vulnerability

Your Hanami API might be exposed to BFLA (Broken Function Level Authorization)

74% of Hanami apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X