Currently, the admin checks in the Admin backend API are done via a flag in the request. This is obviously not secure as requests can be hijacked and have their contents changed.
Instead, what we need a utility that looks up the user in the database and checks their role string (or role flag, or whatever) to ensure it's that of an admin. This would be much more secure.
Currently, the admin checks in the Admin backend API are done via a flag in the request. This is obviously not secure as requests can be hijacked and have their contents changed.
Instead, what we need a utility that looks up the user in the database and checks their role string (or role flag, or whatever) to ensure it's that of an admin. This would be much more secure.