Using user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.