Order Ownership Check

Easy+50 XPA01:2021 Broken Access ControlCWE-639

BOLAIDORAuthorizationAPI

Scenario

An e-commerce API exposes a GET /orders/:id endpoint. Authenticated users supply their user ID and the order ID they want to retrieve.

The handler fetches the order by ID and returns it — but never checks whether the requesting user actually owns that order.

Any authenticated user can enumerate order IDs and read every other customer's purchase history, shipping address, and payment details. This is Broken Object Level Authorization — the #1 API vulnerability in the OWASP API Security Top 10.

BOLA is the most widespread API vulnerability class. Because IDs are often sequential integers, a single missing ownership check exposes every record in the table to any authenticated user.

Your Tasks

Fix getOrder so it rejects requests where the order's owner does not match the requesting user.
Throw an error with the message 'Forbidden' for unauthorized access attempts.
Legitimate owners must still be able to retrieve their own orders normally.

Examples

Example 1 — Blocked — wrong owner

getOrder('alice', 'order-bob-1', db)
// order-bob-1 belongs to bob
// → throws Error('Forbidden')

Example 2 — Allowed — correct owner

getOrder('bob', 'order-bob-1', db)
// → returns { id: 'order-bob-1', ownerId: 'bob', ... }

Constraints

›Only edit the function body — do not change the function signature.
›Throw exactly 'Forbidden' (not 'Unauthorized' or similar).
›No external packages — the db parameter is a plain in-memory collection.

Hint

References

CVE-2023-6875 — BOLA in WooCommerce Payments plugin CWE-639: Authorization Bypass Through User-Controlled Key OWASP API Security Top 10 — API1:2023 Broken Object Level Authorization OWASP API Security Cheat Sheet

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run