I think it is best practice (or should become) to start any function with an assertion that verifies if the sender should be able to modify the state.

Only by making this routine will the developers think about access rights for every function.

In solidity a bug costs real money to real people. We’re still in the learning phase I guess