IDOR Vulnerability in PayController Allows Unauthorized Deletion of Pay Records

A critical Insecure Direct Object Reference vulnerability in the PayController's destroy action permitted any authenticated user to delete arbitrary Pay records by manipulating the id parameter, completely bypassing ownership verification. The flaw originated from the destroy method using `Pay.find_by_id(params[:id])`, which retrieved records without enforcing user-scoped access controls.

The vulnerability was identified in `app/controllers/pay_controller.rb`, where the original implementation failed to confirm that the target Pay record belonged to the requesting user before executing deletion. This meant a user with valid authentication could target another user's financial records by simply substituting the record ID in the request. The issue was remediated by replacing the unscoped query with `current_user.pay.find(params[:id])`, constraining all delete operations to records owned by the authenticated user. Exception handling via a begin/rescue block was also added to manage ActiveRecord::RecordNotFound scenarios gracefully.

The fix ensures proper authorization enforcement at the controller level, preventing horizontal privilege escalation attacks against the pay management system. Organizations using similar patterns in other controllers should audit their own implementations for analogous IDOR exposures, particularly where user-submitted IDs drive data access or deletion operations without ownership checks.