Missing Authorization

Identifies code paths in HTTP-triggered or Callable functions where user authentication is verified, but subsequent operations on resources do not adequately consider the user's identity (uid) or associated permissions (e.g., custom claims or roles). This can lead to broken access control, allowing authenticated users to access or modify resources they do not own or are not authorized for.