Fix BOLA (Broken Object Level Authorization) in CodeIgniter

BOLA (Broken Object Level Authorization) is the bread and butter of modern API exploitation. In CodeIgniter 4, it occurs when a developer trusts the ID provided in a URI segment or request body without verifying if the authenticated user has permission to interact with that specific resource. If you aren't scoping your database queries to the current session's user ID, you're leaking data.

The Vulnerable Pattern

public function update_invoice($id) {
    $model = new InvoiceModel();
    $data = $this->request->getJSON();
    // VULNERABLE: Trusting the ID from the URL without ownership verification
    $model->update($id, $data);
    return $this->response->setJSON(['status' => 'updated']);
}

The Secure Implementation

The fix implements a hard ownership check. Instead of blindly updating a record by ID, we query the database using a composite key: the resource ID and the session-stored 'user_id'. If the user tries to manipulate another user's ID, the query returns null, and the application terminates the request with a 403 Forbidden. For high-security environments, replace auto-incrementing IDs with UUIDs to prevent ID enumeration/crawling, but always maintain server-side ownership validation as the primary defense.

public function update_invoice($id) {
    $userId = session()->get('user_id');
    $model = new InvoiceModel();
    // SECURE: Verify that the invoice exists AND belongs to the authenticated user
    $invoice = $model->where(['id' => $id, 'user_id' => $userId])->first();
    if (!$invoice) {
        return $this->response->setStatusCode(403)->setJSON(['error' => 'Unauthorized access to resource']);
    }
    $data = $this->request->getJSON();
    $model->update($id, $data);
    return $this->response->setJSON(['status' => 'success']);
}