They didn't validate the token nor did they make sure the user id was valid for the request; that's two important checks that either weren't there or failed. Seems like they just weren't there as there would have been more failures like this throughout the site. Because those checks weren't there I'd say it was an amateur mistake. Again, if this is the case then the engineer just made an assumption that this request can only be made in particular user state.