VIEW-Privileged User Can Delete Student Records – Server‑Side Authorization Missing in `see.php`

### VIEW-Privileged User Can Delete Student Records – Server‑Side Authorization Missing in `see.php`

**Severity:** High  
**Type:** Broken Access Control / Missing Server‑Side Authorization  
**File:** `see.php` (lines 7–20)

**Confirmed by local HTTP reproduction.**

---

### Description
The student deletion endpoint (`see.php`) processes the `del` parameter and immediately executes a `DELETE` query **before** checking the logged‑in user’s permission level. The relevant code flow:

```php
// see.php:7-8
if (isset($_GET['submit'])){
    if(mysqli_query($con,"DELETE FROM student WHERE ID =".$_GET['del']."")){

// ... later, after deletion ...
// see.php:17-20
$usr=$_SESSION['username'];
$r=mysqli_query($con,"SELECT Permission from login WHERE username='$usr'");
$ro=mysqli_fetch_assoc($r);
$uper=$ro['Permission'];
```

Because the deletion query runs first, a user with only VIEW permission (e.g., the default admin1/admin account) can delete any student record simply by crafting a GET request with ?submit=submit&del=<id>. The subsequent permission check is only used for displaying a warning message; it does not prevent the destructive action.

Steps to Reproduce
Log in as the VIEW user admin1 / admin.

Obtain a valid PHPSESSID.

Identify a target student ID (e.g., 1614).

Send a GET request to /see.php?submit=submit&del=1614 with the session cookie.

Observe that the response shows “RECORD DELETED!” and the total record count decreases, confirming the deletion succeeded.

![](https://pic1.imgdb.cn/item/6a13ce4172662027ad93401a.png)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

VIEW-Privileged User Can Delete Student Records – Server‑Side Authorization Missing in `see.php` #4