Skip to main content
rulesSource-backedReview first Safety Privacy

AI-Generated IDOR (Broken Object-Level Authorization) Review Rules

Source-backed rules for reviewing AI-generated endpoints and data-access code before merge for insecure direct object reference risk, covering per-request object-level authorization checks, scoped database lookups, identifier exposure, and consistent enforcement across read, write, and admin operations.

by lourincedaging0-commits·added 2026-07-15·
HarnessClaude Code
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html, https://github.com/JSONbored/awesome-claude/blob/main/content/rules/ai-generated-idor-review-rules.mdx
Safety notes
A missing object-level authorization check lets any authenticated (or sometimes unauthenticated) user read, modify, or delete another user's data by changing an identifier in the request — accounts, documents, orders, invoices, and support tickets are common targets., AI assistants often generate a correct-looking handler for the current user's own data and skip the cross-user check entirely, because the happy-path test only ever exercises the requester's own objects., Switching to random/UUID identifiers reduces guessability but is not an authorization control; do not accept it as a substitute for a server-side ownership or permission check.
Privacy notes
IDOR proof-of-concept testing can expose another account's real data; use synthetic test accounts and synthetic objects rather than real user records when demonstrating the issue., Do not paste real user identifiers, documents, or other objects retrieved during testing into a public PR or issue; redact or replace them with placeholders., Server-side logs and error messages for a denied access attempt should avoid echoing back the unauthorized object's contents, only that access was denied.
Author
lourincedaging0-commits
Submitted by
lourincedaging0-commits
Claim status
unclaimed
Last verified
2026-07-15

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Copy & paste

Copy-ready — paste the snippet to get started.

15 minutes

Install command

Not provided

Config snippet

Not provided

Copy snippet

Provided

Prerequisites

4 to clear

Platforms

1 listed

Install type

Copy & paste

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

4 prerequisites to line up before setup. Have accounts and credentials ready first.

0/4 ready
Account & credentials1Configuration1Permissions & scopes215 minutes

Safety & privacy surface

Safety & privacy surface

3 safety and 3 privacy notes across 3 risk areas. Review closely: permissions & scopes, network access.

3 areas
  • SafetyPermissions & scopesA missing object-level authorization check lets any authenticated (or sometimes unauthenticated) user read, modify, or delete another user's data by changing an identifier in the request — accounts, documents, orders, invoices, and support tickets are common targets.
  • SafetyNetwork accessAI assistants often generate a correct-looking handler for the current user's own data and skip the cross-user check entirely, because the happy-path test only ever exercises the requester's own objects.
  • SafetyPermissions & scopesSwitching to random/UUID identifiers reduces guessability but is not an authorization control; do not accept it as a substitute for a server-side ownership or permission check.
  • PrivacyGeneralIDOR proof-of-concept testing can expose another account's real data; use synthetic test accounts and synthetic objects rather than real user records when demonstrating the issue.
  • PrivacyGeneralDo not paste real user identifiers, documents, or other objects retrieved during testing into a public PR or issue; redact or replace them with placeholders.
  • PrivacyPermissions & scopesServer-side logs and error messages for a denied access attempt should avoid echoing back the unauthorized object's contents, only that access was denied.

Safety notes

  • A missing object-level authorization check lets any authenticated (or sometimes unauthenticated) user read, modify, or delete another user's data by changing an identifier in the request — accounts, documents, orders, invoices, and support tickets are common targets.
  • AI assistants often generate a correct-looking handler for the current user's own data and skip the cross-user check entirely, because the happy-path test only ever exercises the requester's own objects.
  • Switching to random/UUID identifiers reduces guessability but is not an authorization control; do not accept it as a substitute for a server-side ownership or permission check.

Privacy notes

  • IDOR proof-of-concept testing can expose another account's real data; use synthetic test accounts and synthetic objects rather than real user records when demonstrating the issue.
  • Do not paste real user identifiers, documents, or other objects retrieved during testing into a public PR or issue; redact or replace them with placeholders.
  • Server-side logs and error messages for a denied access attempt should avoid echoing back the unauthorized object's contents, only that access was denied.

Prerequisites

  • A pull request, diff, or snippet containing an AI-generated or AI-edited endpoint, resolver, or data-access function that accepts an object identifier from the request.
  • Knowledge of the application's ownership/permission model, since what counts as "authorized" differs between single-owner resources, shared resources, and admin-only resources.
  • Access to at least two distinct user accounts (or awareness of how to create them) to verify cross-account access is actually denied, not just assumed.
  • Permission to block merge when an object-level authorization check is missing, inconsistent, or client-trusted.

Schema details

Install type
copy
Troubleshooting
Yes
Collection metadata
Estimated setup
15 minutes
Difficulty
intermediate
Full copyable content
You are reviewing AI-generated code for insecure direct object reference
(IDOR) / broken object-level authorization risk.

Rules:
1. For every operation that looks up an object by an identifier from the
   request (URL path, query string, or body), confirm there is a
   server-side check that the current user is actually allowed to access
   that specific object — not just that they are authenticated.
2. Prefer scoped lookups over raw lookups: fetch through the current user's
   own relation (`current_user.projects.find(id)`) instead of a global
   lookup by primary key (`Project.find(id)`) followed by an afterthought
   permission check.
3. Apply the same authorization check to every operation on the object,
   not just the one the happy path exercises — read, update, delete,
   export, and any admin or bulk variant of the endpoint.
4. Do not trust a hidden form field, a client-supplied `user_id`/`ownerId`,
   or any other identifier the client can edit as the source of truth for
   whose data is being accessed; derive the acting user from server-side
   session/auth state.
5. Do not treat an unguessable identifier (UUID, random token) as a
   substitute for an authorization check — it raises the bar for guessing
   but does not stop an attacker who already has or leaks a valid ID.
6. When a new route, resolver, or RPC method is added, confirm it goes
   through the same authorization layer as sibling routes rather than
   re-implementing an ad hoc check, and flag it if it skips a shared
   authorization middleware/guard that similar existing routes use.

About this resource

Purpose

Use these rules when an AI coding assistant writes or edits code that looks up, updates, deletes, or exports an object using an identifier supplied by the request. The goal is to stop a generated endpoint from shipping with a working happy path for the requester's own data while quietly allowing access to anyone else's data by changing an ID.

This is a review policy, not an IDOR tutorial. It tells reviewers what must be true about a generated change's authorization checks and lookup pattern before the change is safe to merge.

Review Inputs

Collect enough context to know what object is being accessed and who should be allowed to access it.

  • Every route, resolver, or RPC method the change adds or edits that accepts an object identifier from a URL path, query string, request body, or header.
  • What kind of object each identifier refers to (single-owner, shared among a team, or globally readable) and who is allowed to read, write, or delete it.
  • How the handler currently looks the object up: a scoped query tied to the current user, or a global lookup by primary key/slug.
  • Whether sibling routes in the same area already enforce authorization through a shared middleware, guard, or policy object.

Object-Level Authorization Rules

  • Every operation that resolves an object from a request-supplied identifier must verify, server-side, that the current user is allowed to access that specific object — authentication alone (proving who the user is) is not authorization (proving what they may access).
  • Prefer scoped lookups that can only ever return objects the current user owns or has been granted access to, over a global lookup followed by a separate permission check that is easy to omit or get out of sync.
  • Derive the acting user from server-side session or token state, never from a client-supplied field such as a hidden user_id, an ownerId in the request body, or a bearer claim the client can influence.
  • Apply the same check to every verb and variant on the object: read, update, delete, export/download, bulk operations, and admin-only variants each need their own enforcement, not just the primary read path.
  • For nested or related objects (a comment on someone else's document, a line item on someone else's order), verify authorization on the parent object as well as the child, not just the child's own ID.

Identifier And Lookup Rules

  • Treat any identifier accepted from the client (URL, query, body, or header) as untrusted input to a lookup, not as proof of entitlement.
  • Where practical, avoid exposing sequential or otherwise guessable identifiers in URLs and forms; prefer non-enumerable identifiers (UUIDs, random tokens) as a defense-in-depth measure.
  • Do not rely on identifier complexity alone: an attacker who obtains or is given a valid but unauthorized ID (via a shared link, referrer leak, or another vulnerability) must still be denied by the authorization check.
  • For multi-step flows, keep the object reference in server-side session state rather than round-tripping it through client-editable form fields across steps.
  • When adding a new data-access function, check whether an existing scoped query helper for that model already exists before writing a new global lookup.

Merge Blockers

Block merge when any of these is true.

  • An endpoint resolves an object by a request-supplied identifier without a server-side check that the current user may access that specific object.
  • Authorization is enforced on the read path for an object but not on its update, delete, export, or admin variant.
  • The acting user or their permissions are taken from a client-supplied field (hidden form value, request body user_id, editable claim) instead of server-side session/auth state.
  • A new route bypasses a shared authorization middleware/guard/policy that equivalent existing routes use, without a documented reason.
  • Non-guessable identifiers (UUIDs, tokens) are treated as the sole protection for an object, with no actual authorization check behind them.

Review Checklist

  • {"task": "Object-level check present", "description": "Every request-supplied identifier lookup is followed by a check that the current user may access that specific object"}
  • {"task": "Scoped lookup preferred", "description": "Data access goes through a query scoped to the current user/tenant rather than a global lookup plus an afterthought check"}
  • {"task": "All operations covered", "description": "Read, update, delete, export, and admin/bulk variants all enforce the same authorization, not just the primary read path"}
  • {"task": "Server-side identity", "description": "The acting user is derived from session/auth state, never a client-supplied user/owner field"}
  • {"task": "Nested objects checked", "description": "Authorization is verified on parent objects, not just the child object's own identifier"}
  • {"task": "No false sense of security", "description": "Unguessable identifiers are not treated as a substitute for an actual authorization check"}

AI Review Rules

AI assistants can write and review data-access code, but they should show their evidence.

  • Ask the assistant to list every route or resolver in the change that accepts an object identifier from the request, and how each one is authorized.
  • Require the assistant to state whether each lookup is scoped to the current user or is a global lookup, and if global, where the permission check happens.
  • Have the assistant confirm write, delete, export, and admin variants were checked, not only the read path it may have tested first.
  • Do not let the assistant claim a UUID or random identifier makes the endpoint safe without a server-side authorization check.
  • Re-run review after any change to routing, the permission model, or shared authorization middleware.

Troubleshooting

  • A legitimate cross-team share stops working after adding the check: the object likely needs an explicit shared-access grant (a membership or ACL entry) rather than being reachable by anyone who has the ID; model the sharing relationship instead of loosening the check.
  • The scoped query returns nothing for an object the user should see: confirm the scoping relation actually includes shared/team-owned objects, not only objects the user directly created.
  • Tests pass but only exercise the requester's own data: add a second test account and assert that it is denied access to the first account's objects across read, write, and delete.
  • An admin panel needs to bypass per-user scoping: give it its own explicit admin-authorization check rather than removing scoping from the underlying data-access function that regular routes also call.

Duplicate And History Check

Before adding a new authorization check, confirm the codebase does not already have a shared scoping helper, policy object, or middleware for this model. A generated route that writes its own inline permission check next to an existing shared guard should be treated as suspicious — check whether the existing mechanism was simply not reused before introducing a second, parallel, and possibly inconsistent one.

Reference

Pattern Risk Fix
Model.find(params[:id]) Returns any object regardless of owner current_user.models.find(params[:id])
user_id read from request body Client chooses whose data is affected Derive user from server-side session/auth
Check only on the GET handler Update/delete/export siblings stay unauthorized Enforce the same check on every verb for the object
Sequential numeric ID as the only barrier Trivially enumerable Non-guessable ID plus a real authorization check
Ad hoc inline permission check Diverges from and can miss the shared policy Route through the existing authorization middleware

Sources

  • OWASP Insecure Direct Object Reference Prevention Cheat Sheet
  • OWASP Authorization Cheat Sheet
  • OWASP REST Security Cheat Sheet
  • OWASP API Security Top 10: Broken Object Level Authorization
  • CWE-639: Authorization Bypass Through User-Controlled Key

Source citations

Add this badge to your README

Show that AI-Generated IDOR (Broken Object-Level Authorization) Review Rules is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/rules/ai-generated-idor-review-rules.svg)](https://heyclau.de/entry/rules/ai-generated-idor-review-rules)

How it compares

AI-Generated IDOR (Broken Object-Level Authorization) Review Rules side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

1 trust signal differ across this comparison (Submitter).

Field

Source-backed rules for reviewing AI-generated endpoints and data-access code before merge for insecure direct object reference risk, covering per-request object-level authorization checks, scoped database lookups, identifier exposure, and consistent enforcement across read, write, and admin operations.

Open dossier

Source-backed rules for reviewing AI-generated request handlers and forms before merge for cross-site request forgery risk, covering state-changing method discipline, anti-CSRF token correctness, SameSite cookie posture, origin and referer checks, and safe handling of cookie-based sessions.

Open dossier

Source-backed rules for reviewing AI-generated code that deserializes data before merge for insecure deserialization risk, covering native serialization formats (pickle, PyYAML, Java Serializable) that can execute arbitrary code on untrusted input, safe data-interchange alternatives, and class allowlisting/integrity checks when native formats can't be avoided.

Open dossier

Source-backed rules for reviewing AI-generated code that binds request parameters to model/entity objects before merge for mass assignment risk, covering allowlist field binding, DTOs that exclude sensitive fields, and the framework-specific autobinding features that make this easy to introduce by default.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
SubmitterDifferslourincedaging0-commitsjaso0n0818lourincedaging0-commitslourincedaging0-commits
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
Brand
Categoryrulesrulesrulesrules
Sourcesource-backedsource-backedsource-backedsource-backed
Authorlourincedaging0-commitsjaso0n0818lourincedaging0-commitslourincedaging0-commits
Added2026-07-152026-06-222026-07-152026-07-15
Platforms
Claude Code
Claude Code
Claude Code
Claude Code
Source repo
Safety notesA missing object-level authorization check lets any authenticated (or sometimes unauthenticated) user read, modify, or delete another user's data by changing an identifier in the request — accounts, documents, orders, invoices, and support tickets are common targets. AI assistants often generate a correct-looking handler for the current user's own data and skip the cross-user check entirely, because the happy-path test only ever exercises the requester's own objects. Switching to random/UUID identifiers reduces guessability but is not an authorization control; do not accept it as a substitute for a server-side ownership or permission check.A missing CSRF defense lets a malicious page perform state-changing actions as a logged-in user — transferring funds, changing email or password, or deleting data — using the victim's ambient cookies. AI assistants often generate handlers that work in tests yet omit token validation or perform state changes on GET, because the happy path succeeds without any forged cross-site request. Relying on SameSite cookies alone is not sufficient: defaults vary, Lax still allows top-level GET navigations, and some clients or legacy browsers do not enforce it.Deserializing untrusted data with a native format's full-featured API (pickle, unsafe YAML, Java Serializable, PHP unserialize) can cause denial-of-service or remote code execution — the vulnerability triggers during deserializing itself, before any application logic runs on the result. AI assistants often reach for the most convenient deserialization call (pickle for Python object graphs, yaml.load for config-like YAML, ObjectInputStream for Java) without checking whether the input is trusted, since developer-controlled test data works regardless of which API is used. An integrity check (signature/MAC) added after deserialization already ran does not help — the attack happens during deserialization, so the check must gate the deserialization call itself, not just the object it produces.Mass assignment lets an attacker set fields on a model that were never meant to be user-editable — a privilege flag, an ownership reference, a price — simply by adding an extra parameter the client controls to a request that already succeeds for legitimate fields. AI assistants often generate the shortest working binding code (bind the whole request body onto the model, or a framework's default autobinding) because it passes the happy-path test with only the intended fields present, without adding the allowlist/DTO layer that blocks unintended ones. This is not a theoretical risk: a mass assignment vulnerability in GitHub's own public-key update form in 2012 let an attacker add their SSH key to the rails organization and push code, entirely through an unintended request parameter.
Privacy notesIDOR proof-of-concept testing can expose another account's real data; use synthetic test accounts and synthetic objects rather than real user records when demonstrating the issue. Do not paste real user identifiers, documents, or other objects retrieved during testing into a public PR or issue; redact or replace them with placeholders. Server-side logs and error messages for a denied access attempt should avoid echoing back the unauthorized object's contents, only that access was denied.CSRF tokens are security credentials; do not paste real tokens, session cookies, or production request captures into public PR comments or issues. Use synthetic accounts and redacted requests when demonstrating a CSRF proof of concept, and avoid attaching real user identifiers. Be careful that anti-CSRF tokens are not written into URLs, analytics, or logs, where they can leak through referer headers or shared dashboards.Deserialization proof-of-concept payloads (e.g. a crafted pickle or Java serialized stream) can trigger real code execution in a test environment; run them only in an isolated, disposable sandbox, never against a shared or production system. Do not commit real crafted exploit payloads, credentials, or internal class/package names discovered while testing into a public PR or issue; describe the vulnerable pattern instead of attaching a working exploit.Mass assignment proof-of-concept testing (setting an unintended field like an admin flag) can grant real elevated access in a shared test environment; use an isolated account and environment, never a shared staging or production system. Do not commit a working exploit request (the exact extra parameter and target field) targeting a real internal endpoint into a public PR or issue; describe the vulnerable binding pattern and the class of field involved instead.
Prerequisites
  • A pull request, diff, or snippet containing an AI-generated or AI-edited endpoint, resolver, or data-access function that accepts an object identifier from the request.
  • Knowledge of the application's ownership/permission model, since what counts as "authorized" differs between single-owner resources, shared resources, and admin-only resources.
  • Access to at least two distinct user accounts (or awareness of how to create them) to verify cross-account access is actually denied, not just assumed.
  • Permission to block merge when an object-level authorization check is missing, inconsistent, or client-trusted.
  • A pull request, diff, or snippet containing an AI-generated or AI-edited request handler, form, or fetch call with enough context to know how the user is authenticated.
  • Knowledge of how the framework manages sessions and CSRF tokens, since built-in protection, cookie defaults, and token helpers differ between frameworks.
  • Awareness of which routes change state and which are read-only, so the review can focus on unsafe methods.
  • Permission to block merge when a cookie-authenticated state change ships without a CSRF defense.
  • A pull request, diff, or snippet containing AI-generated or AI-edited code that deserializes, unpickles, unmarshals, or loads structured data from an external source.
  • Knowledge of which deserialization APIs the language/framework in use considers "safe" versus "native/unsafe" (this differs significantly between Python, Java, PHP, Ruby, and JS/Node).
  • Awareness of which data sources in the application are genuinely untrusted (client-supplied, cross-service, or user-uploaded) versus fully internal and controlled.
  • Permission to block merge when untrusted data reaches a native deserialization API without an allowlist or integrity check.
  • A pull request, diff, or snippet containing AI-generated or AI-edited code that binds request data to a model, entity, or ORM object.
  • Knowledge of which fields on the affected model/entity are sensitive (admin/role flags, ownership references, financial fields, verification/status flags).
  • Familiarity with the specific framework's autobinding and allowlist/block-list mechanism in use, since the safe pattern differs meaningfully between Spring MVC, Rails, Mongoose/Node, Django, and hand-rolled binding code.
  • Permission to block merge when a request-to-model binding path can set a sensitive field with no allowlist, block-list, or DTO in place.
Install
Config
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.