Could you explain that one in more detail? I don't think I understand it.
You have another code path that authenticates API callers.
You have code scattered through your whole application that makes authorization checks based on which user you're authenticated on.
Inconsistencies between the first two code paths often break that code.