This video by IBM’s ethical hacking team outlines how applications need to verify every request they receive against the permissions of the user issuing the command (the UI Level) as well as the backend function level (should the Application be requesting this data at all to begin with). This 5 minute video outlines the appropriate considerations for protecting against missing function level access controls and mitigating controls to ensure all such requests are properly validated.