Incorrect authorization in admin backend allows privileged users to read and modify arbitrary files without prompting for password