This is with reference to http://thehackernews.com/2014/05/vulnerability-in-yahoo-websites-allows.html
Authentication normally has three steps:
1. Authenticating User : username, passwd verification i.e a valid yahoo user
2. Authorizing Action (role based access): whether user is allowed to perform the action i.e user is allowed to delete comments
3. Authorizing Entity : verify user owns the entity i.e user is allowed to delete only his comments.
How do you handle the third step in your application ?