The exact healthcare breach: logged in as one patient, change the record id in the URL. Without a server-side ownership check you read someone else's report; with it you get 403. Login is not authorization.
You're logged in as Alice, patient #1001 (authenticated ✓). Now change the patient id in the request and send it — with and without a server-side ownership check.
Request
GET /api/patient/1001Authorization: Bearer (Alice)
change id:
🔑 Authentication (who are you?)
Solved by login — Alice's token is valid. ✓ This part already works.
🛡️ Authorization (what may you access?)
The missing check — does Alice own this record? Without it, login means nothing.
What just happened
▹You logged in correctly — that's authentication, and it's working. But authentication only proves WHO you are; it says nothing about which records you're allowed to see.
▹Broken access control (IDOR) is when the server returns a record just because you asked for its id. Change 1001 to 1002 in the URL and you read another patient's report — exactly the healthcare breach in the case study.
▹The fix is a server-side ownership check: before returning record N, confirm the logged-in user actually owns N (or has a role that allows it). Never trust an id from the URL.