Nested Resource Access

Medium+100 XPA01:2021 Broken Access ControlCWE-639

BOLAIDORAuthorizationNested Resources

Scenario

A blogging platform stores posts and the comments attached to them. Access to comments is supposed to be restricted to the owner of the parent post.

The getComment function fetches a comment by ID and returns it — but never checks whether the requesting user owns the parent post.

Any authenticated user can read the comments on any post by guessing comment IDs, bypassing the post's visibility settings.

Nested resource endpoints (e.g. /posts/:postId/comments/:commentId) must enforce ownership at every level. Checking only the leaf resource misses the hierarchy of access controls.

Your Tasks

Fix getComment so it verifies the requesting user owns the parent post before returning the comment.
Throw 'Forbidden' when the requester does not own the parent post.
Throw 'Not found' when the comment or its parent post does not exist.
Return the comment object for the post owner.

Examples

Example 1 — Blocked — user doesn't own the post

getComment('alice', 'cmt-1', comments, posts)
// cmt-1 is on post-bob-1 which belongs to bob
// → throws Error('Forbidden')

Example 2 — Allowed — post owner

getComment('bob', 'cmt-1', comments, posts)
// bob owns the parent post
// → returns { id: 'cmt-1', postId: 'post-bob-1', ... }

Constraints

›Only edit the function body — do not change the function signature.
›Throw exactly 'Forbidden' and 'Not found'.
›Access is controlled by post ownership — not comment authorship.

Hint

References

CWE-639: Authorization Bypass Through User-Controlled Key OWASP API Security Top 10 — API1:2023 Broken Object Level Authorization OWASP API Security Cheat Sheet

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run