GuardAPI Logo
GuardAPI

Fix BFLA (Broken Function Level Authorization) in Yii

Broken Function Level Authorization (BFLA) in Yii frameworks typically manifests when developers rely on simple authentication checks rather than granular authorization. Attackers exploit this by directly hitting administrative endpoints (e.g., /user/delete?id=1) that lack proper AccessControl filter (ACF) or RBAC enforcement. In a hacker's eyes, an 'authenticated' status is just the first door; BFLA is the unlocked safe inside.

The Vulnerable Pattern

class UserController extends \yii\web\Controller {
    public function actionDelete($id) {
        // VULNERABILITY: No AccessControl behavior defined.
        // Any user, even a guest or low-privilege account, can trigger this.
        $this->findModel($id)->delete();
        return $this->redirect(['index']);
    }
}

The Secure Implementation

To kill BFLA, you must implement the `behaviors()` method using `yii\filters\AccessControl`. The 'vulnerable' snippet fails because it lacks a filter, leaving every public function exposed. The 'secure' snippet enforces a strict whitelist: only users assigned the 'admin' role via Yii's RBAC component can access the 'delete' action. For complex logic, we combine ACF with `Yii::$app->user->can()`, which checks specific permissions and optional business rules (e.g., ensuring a user can only delete their own data), effectively closing both BFLA and IDOR vectors.

use yii\filters\AccessControl;

class UserController extends \yii\web\Controller {
public function behaviors() {
return [
‘access’ => [
‘class’ => AccessControl::class,
‘rules’ => [
[
‘actions’ => [‘delete’],
‘allow’ => true,
‘roles’ => [‘admin’], // Only users with ‘admin’ role
],
],
‘denyCallback’ => function ($rule, $action) {
throw new \yii\web\ForbiddenHttpException(‘Insufficient permissions.’);
}
],
];
}


public function actionDelete($id) {
    $model = $this->findModel($id);
    // Additional check for object-level ownership if necessary
    if (\Yii::$app->user->can('deleteOwnPost', ['post' => $model])) {
         $model->delete();
    }
    return $this->redirect(['index']);
}


}

System Alert • ID: 7659
Target: Yii API
Potential Vulnerability

Your Yii API might be exposed to BFLA (Broken Function Level Authorization)

74% of Yii apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X