Fix BOLA (Broken Object Level Authorization) in Revel

BOLA (Broken Object Level Authorization) is the #1 vulnerability in modern APIs. In Revel, it manifests when you trust the ID provided in the route without verifying ownership. If your controller fetches a 'resource' based purely on a URL parameter, any authenticated user can iterate through IDs and exfiltrate your entire database. Fix it by scoping your DB queries to the authenticated user's session.

The Vulnerable Pattern

func (c App) GetInvoice(id int) revel.Result {
    // VULNERABLE: Direct reference to ID without ownership check
    invoice := models.Invoice{}.GetByID(id)
    if invoice == nil {
        return c.NotFound("Invoice not found")
    }
    return c.RenderJSON(invoice)
}

The Secure Implementation

The fix shifts authorization from the application layer to the data access layer. Instead of fetching an object and then checking 'if user == owner', the secure pattern injects the 'userID' directly into the SQL WHERE clause. This ensures that even if an attacker guesses a valid invoice ID, the database returns null because the 'owner_id' constraint is not met. Always treat 'c.Session' as the single source of truth for identity, never the URL path or body parameters.

func (c App) GetInvoice(id int) revel.Result {
    // SECURE: Retrieve user ID from session and scope the query
    userID, ok := c.Session["user_id"].(int)
    if !ok {
        return c.Forbidden("Unauthorized")
    }
// Force the DB query to include the owner's ID
invoice := models.Invoice{}.GetByIDAndOwner(id, userID)
if invoice == nil {
    // Return 404/403 to prevent ID enumeration
    return c.NotFound("Invoice not found")
}

return c.RenderJSON(invoice)
}