This seems like a no-brain-er but I have seen it more times than I can count and I have seen it happen to some very experienced developers. Put simply: authentication is not enough; you need to make sure that the authenticated user is actually authorized to perform an action. It is one thing to know who a user is and an entirely different — though equally important — thing to know what a user is allowed to do.
This article covers the concepts of authentication and authorization.