< Back





3. User role controlled by request parameter

We're asked to delete the user "carlos", however, the admin panel doesn't allow you to access it via
/admin if the currently logged in user is not an admin. This is controlled by a cookie provided
after successfully logging in. We can modify this cookie to report Admin=true. Then, we're able to
access the /admin panel and delete the user "carlos".


Solution