Fix BOLA (Broken Object Level Authorization) in Poem

BOLA (Broken Object Level Authorization), formerly IDOR, remains the #1 threat to APIs. In Poem, this manifests when a handler accepts a resource ID from a path or query parameter and fetches the object without verifying if the authenticated principal has the right to access it. Trusting the client-provided ID is a fast track to a data breach.

The Vulnerable Pattern

#[handler]
async fn get_user_report(Path(report_id): Path) -> Result> {
    // VULNERABLE: Only checks if the report exists, not who owns it.
    let report = db::fetch_report(&report_id).await
        .map_err(|_| Error::from_status(StatusCode::NOT_FOUND))?;
Ok(Json(report))
}

The Secure Implementation

The vulnerability lies in the 'Insecure Direct Object Reference'. To fix BOLA in Poem, you must implement an authorization layer that matches the resource's owner_id against the requester's identity. Use Poem's 'Data' extractor to inject session context (populated by middleware). Instead of a generic 'get_by_id' database call, use a 'get_by_id_and_owner' pattern. This ensures that even if an attacker guesses a valid report_id, the database query returns null because the user_id context does not match, effectively neutralizing the horizontal privilege escalation.

#[handler]
async fn get_user_report(
    Path(report_id): Path,
    Data(auth_session): Data
) -> Result> {
    // SECURE: Query is scoped to the authenticated user_id
    let report = db::fetch_report_by_owner(&report_id, &auth_session.user_id).await
        .map_err(|_| Error::from_status(StatusCode::FORBIDDEN))?;
Ok(Json(report))
}