GuardAPI Logo
GuardAPI

Fix BOLA (Broken Object Level Authorization) in Symfony

BOLA (Broken Object Level Authorization) is the #1 threat to APIs. In Symfony, it occurs when you fetch an entity based on a route parameter without verifying that the authenticated user actually owns that resource. Authentication confirms who you are; Authorization confirms what you can touch. If your controller assumes a valid ID equals permission, you're pwned.

The Vulnerable Pattern

/**
 * VULNERABLE: Direct access via ID without ownership check.
 */
#[Route('/api/reports/{id}', methods: ['GET'])]
public function show(int $id, ReportRepository $repository): JsonResponse
{
    // Any authenticated user can guess an ID and dump data
    $report = $repository->find($id);
    if (!$report) {
        throw $this->createNotFoundException();
    }
    return $this->json($report);
}

The Secure Implementation

The fix moves authorization logic out of the controller and into Symfony's Security Voter system. By using the #[IsGranted] attribute with a 'subject', Symfony automatically resolves the {id} into a 'Report' object and passes it to the Voter. The Voter then compares the 'owner' property of the entity against the currently logged-in user. If they don't match, a 403 Forbidden is issued before the controller logic even executes, preventing unauthorized data exposure.

/**
 * SECURE: Use Symfony Voters and ParamConverter.
 */
#[Route('/api/reports/{id}', methods: ['GET'])]
#[IsGranted('VIEW', subject: 'report')]
public function show(Report $report): JsonResponse
{
    // The Voter handles the ownership logic before this code runs.
    return $this->json($report);
}

// src/Security/Voter/ReportVoter.php
protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
{
$user = $token->getUser();
if (!$user instanceof UserInterface || !$subject instanceof Report) return false;


return match($attribute) {
    'VIEW', 'EDIT' => $subject->getOwner() === $user,
    default => false,
};


}

System Alert • ID: 4044
Target: Symfony API
Potential Vulnerability

Your Symfony API might be exposed to BOLA (Broken Object Level Authorization)

74% of Symfony apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X