It is not uncommon for the developers to check for authorization only at the beginning of a workflow and assume that the following tasks will be authorized for the user. An attacker may try to call a function, URL, or resource that is an intermediate step of the flow and achieve it because of a lack of control.
Concerning privileges, denying all by default is a best practice. If we don't know whether certain users are allowed to execute a function, then they are not allowed. Turn your privilege tables into grant tables. If there is no explicit grant for a user on a function, deny any access.
When building or implementing an access control mechanism for your application's functions, store all the grants in a database or in a configuration file (a database is a better choice).
If user roles and privileges are hardcoded, they become harder to maintain and to change
or update.