# Potential IDOR - Generic Data Access

- ID: python-idor-generic
- Severity: MEDIUM
- CWE: Authorization Bypass Through User-Controlled Key (CWE-639)
- Languages: Python
- Frameworks: django, flask, fastapi

## Description

Detects route parameters flowing to generic data access without visible
ownership verification.

## Remediation

Verify ownership before returning data.

```python
if order['user_id'] != current_user.id:
    return jsonify({'error': 'Forbidden'}), 403
```

Learn more: https://shoulder.dev/learn/python/cwe-639/idor-generic

## Documentation

[object Object]

## Related Rules

- **Horizontal Privilege Escalation** [HIGH]: 
- **Insecure Direct Object Reference (IDOR)** [HIGH]: 
- **Potential IDOR - Generic Data Access** [MEDIUM]: 
- **Horizontal Privilege Escalation** [CRITICAL]: 
- **Insecure Direct Object Reference (IDOR)** [HIGH]: