Problem Statement
What is Broken Object Property Level Authorization (BOPLA) in APIs?
Explanation
B O P L A focuses on the properties inside an object. Even if a user can access the object, they may not be allowed to view or edit all fields. If the API does not validate access per field, attackers can add or modify hidden or admin only properties by guessing their names.
Defend by using allow lists on what fields a role can read and write. Never bind request bodies to models without explicit field level rules.
Code Solution
SolutionRead Only
PATCH /api/users/me { "role": "admin" } // server must ignore or block
// Use explicit field allow lists per role