# Insecure Direct Object Reference (IDOR)

- ID: python-idor
- Severity: HIGH
- CWE: Authorization Bypass Through User-Controlled Key (CWE-639)
- Languages: Python
- Frameworks: django, flask, fastapi

## Description

Detects database object access using user-provided IDs without ownership
verification.

## Remediation

Filter queries by both object ID and current user.

```python
document = Document.objects.get(id=doc_id, owner=request.user)
```

Learn more: https://shoulder.dev/learn/python/cwe-639/idor

## Documentation

[object Object]

## Related Rules

- **Horizontal Privilege Escalation** [HIGH]: 
- **Insecure Direct Object Reference (IDOR)** [HIGH]: 
- **Potential IDOR - Generic Data Access** [MEDIUM]: 
- **Horizontal Privilege Escalation** [CRITICAL]: 
- **Insecure Direct Object Reference (IDOR)** [HIGH]: