#20 Rights can be changed without session in

[Anonymous]

All user settings can be changed directly by calling
the userinfo.php with the needed args. There is no session needed.

This way every user may get admin rights just by calling
userinfo.php?edit=<user_id>&is_admin=true in his favorite browser.

The needed user_id can be easily extracted.
Just call members.php and click on a membername.

Verified using the available nightly build.

May be fixed by using the $_SESSION instead of $_GET.
Also is_admin of the current user has to be checked so only admins may change the is_admin settings of a user.