Profile Update Authorization

Easy+50 XPA01:2021 Broken Access ControlCWE-639

BOLAIDORAuthorizationProfile

Scenario

A social platform exposes a PATCH /users/:id endpoint. Authenticated users submit their own user ID and a target user ID alongside the fields they want to update.

The handler finds the target user by ID and applies the update — but never verifies that the requesting user is actually the account owner.

Any authenticated user can overwrite another user's name, email, or bio by simply supplying someone else's ID as the target.

Profile endpoints that accept an explicit target ID are a frequent source of IDOR. Trusting that users supply their own ID is never enough — the check must be enforced server-side.

Your Tasks

Fix updateProfile so it rejects requests where requestingUserId !== targetUserId.
Throw 'Forbidden' when the requester tries to edit another user's profile.
Throw 'Not found' when the target user does not exist.
Return the updated user object on success.

Examples

Example 1 — Blocked — editing another user

updateProfile('alice', 'bob', { bio: 'hacked' }, db)
// alice cannot edit bob's profile
// → throws Error('Forbidden')

Example 2 — Allowed — editing own profile

updateProfile('alice', 'alice', { bio: 'new bio' }, db)
// → returns updated user object

Constraints

›Only edit the function body — do not change the function signature.
›Throw exactly 'Forbidden' and 'Not found'.
›The db parameter is a plain in-memory array — no external packages needed.

Hint

References

CWE-639: Authorization Bypass Through User-Controlled Key OWASP API Security Top 10 — API1:2023 Broken Object Level Authorization OWASP API Security Cheat Sheet

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run