Open smholsen opened 7 years ago
Should this be done after #9? I mean, we need to have some way of differentiating between admin and user, and currently thisis done via cookie which we are going to fix in #9.
When I was fixing #9 I also changed the check method for checking if the current user in session is admin. I realize that this perhaps should have been done in a different commit, but I had to remove the information from the cookie, and for the application to still function I had to rework the admin check method.
I will start workin on this issue now.
Skriver om dette når jeg er ferdig med sesh. management
Todo: Merge with master!
What? Any user can delete other users in the database by typing the URL in the browser. ‘username’ is replaced by a valid username registered in the application. We need to make only admins or the actual user able to do this.
Why? Because if we dont then bad people can do bad things.
How? I dont know yet.
(Missing Function Level Access Control (OWASP-A7))