Fix BOLA (Broken Object Level Authorization) in FuelPHP

BOLA (Broken Object Level Authorization) is the most exploited vulnerability in modern APIs. In FuelPHP, it occurs when an application exposes a resource ID in the URI and fails to verify if the authenticated user has the rights to access that specific object. Attackers simply iterate through IDs to scrape private data. To kill BOLA, you must enforce ownership checks at the data-access layer, not just check if a user is logged in.

The Vulnerable Pattern

public function get_profile($id)
{
    // VULNERABLE: Directly fetching by ID from URI without checking ownership
    $user = Model_User::find($id);
if (!$user) {
    return $this->response(['error' => 'Not found'], 404);
}

return $this->response($user->to_array());
}

The Secure Implementation

The vulnerable snippet trusts the user-supplied $id implicitly. An attacker could change /api/profile/10 to /api/profile/11 and access unauthorized data. The secure implementation uses the FuelPHP Auth package to extract the 'real' user identity from the session/token. We then use the ORM Query Builder to append a mandatory 'where' clause that scopes the look-up to the authenticated user's ID. If the record doesn't belong to them, the query returns null, and we trigger a 404, preventing ID enumeration and unauthorized data exposure.

public function get_profile($id)
{
    // SECURE: Retrieve current user ID from Auth session
    list(, $current_user_id) = Auth::get_user_id();
// Verify the requested ID matches the session ID or filter the query
$user = Model_User::query()
    ->where('id', '=', $id)
    ->where('id', '=', $current_user_id)
    ->get_one();

if (!$user) {
    // Return 404 to avoid leaking existence of other users' data
    throw new HttpNotFoundException;
}

return $this->response($user->to_array());
}