Secure deletion, roles
I have handle for URL handleDeleteFTP($ftp_user_id). This function call sites_ftp_user_delete from ISPConfig. But there is problem with security, because one of GET parameters is ftp_user_id and everyone (if they are logged) can change this id and send it. How can I check owner of this record which want to delete? ISPConfig remote API is still little bit magic for me...
Second problem. I use this function for login:
$result = $this->client->client_get($this->session_id, array('username' => $username));
Everything is OK, but I need to know roles of users. $result contains no information for identify users by role. I need to know if user is in role admin or not...
Thanks for some clue.