Ensure that users only access data that belongs to them by controlling the DB query being made at the data layer. This query should ensure that data belonging to only the current user is returned, and the attribute that represents the current user should always be taken from a secure source (i.e. the user should never be able to tamper with its contents).