Fix BOLA (Broken Object Level Authorization) in Yii

BOLA (IDOR) is the most prevalent vulnerability in modern APIs, and Yii's ActiveRecord pattern makes it deceptively easy to introduce. It occurs when an application provides direct access to objects based on user-supplied input without verifying if the requesting user has the authority to access that specific resource. In Yii, simply calling findOne($id) on a model is a massive red flag if the model belongs to a specific user.

The Vulnerable Pattern

public function actionUpdate($id)
{
    // VULNERABLE: Any authenticated user can modify any invoice by changing the ID in the URL/body
    $model = Invoice::findOne($id);
    if ($model === null) throw new NotFoundHttpException();
if ($model->load(Yii::$app->request->post()) && $model->save()) {
    return $this->asJson(['status' => 'success']);
}
}

The Secure Implementation

The fix moves authorization from the application logic down to the database query itself. By appending 'user_id' => Yii::$app->user->id to the WHERE clause, we ensure the database only returns the record if it actually belongs to the requester. For complex scenarios, you should implement Yii's AccessControl with a custom Rule class that checks object ownership, or use a 'FindModel' helper method that enforces these constraints globally to avoid repetitive, error-prone code across controllers.

public function actionUpdate($id)
{
    // SECURE: Query is scoped to the current user's ID
    $model = Invoice::find()
        ->where(['id' => $id, 'user_id' => Yii::$app->user->id])
        ->one();
if ($model === null) {
    // Throw 403 or 404 to prevent ID enumeration
    throw new ForbiddenHttpException('You are not allowed to access this resource.');
}

if ($model->load(Yii::$app->request->post()) && $model->save()) {
    return $this->asJson(['status' => 'success']);
}
}