Server side authentication has been weakened in the recent versions.
The server side auth only checks that the user is a valid user, not what their specific permissions are. Thus a low level user could > send requests that require elevated permissions and have them succeed.
I've elected to keep the user level checks in the http_ev_handler to maintain stronger protection on the more privileged calls.
@robertc2000 please add privilege checks to the tests - see https://mongoose.ws/documentation/tutorials/wizard/#web-ui-login for the quick info
@dvosully we'll start adding tests to catch regressions