Fix BOLA (Broken Object Level Authorization) in Cuba

BOLA (IDOR) is the most critical vulnerability in modern APIs. In the Cuba Platform (Jmix), it occurs when developers fetch entities by UUID via DataManager without validating that the authenticated user actually owns the record. If your service layer trusts the input ID without checking the row-level context, any user can scrape your entire database by iterating through UUIDs.

The Vulnerable Pattern

public Order getOrderById(UUID orderId) {
    // CRITICAL: This bypasses ownership checks.
    // Any authenticated user can pass any UUID to view any order.
    return dataManager.load(Order.class)
            .id(orderId)
            .one();
}

The Secure Implementation

To kill BOLA in Cuba, you must implement a defense-in-depth strategy. First, leverage Cuba's 'Row-level roles' (Access Groups) to restrict data visibility at the framework level. Second, in your middle-tier services, never trust the ID provided by the client. Always cross-reference the entity's owner attribute against the active UserSession. If the owner doesn't match the requester, abort the operation immediately. Using 'UserSessionSource' ensures you are validating against the cryptographically signed session, not spoofable request headers.

@Inject
private UserSessionSource userSessionSource;
public Order getOrderById(UUID orderId) {
Order order = dataManager.load(Order.class)
.id(orderId)
.one();
String currentUsername = userSessionSource.getUserSession().getUser().getLogin();

// SECURE: Explicitly verify the 'createdBy' attribute or owner link
if (!order.getCreatedBy().equals(currentUsername)) {
    throw new AccessDeniedException("Unauthorized access to object: " + orderId);
}

return order;
}