"you realize that any user can gain admin access by signing in with their own creds and switching out the word "user" or "client" in the url for "admin"

"Yeah, I don't care. <sr dev> is under a lot of pressure"

Are the admin actions at least filtered?

not as far as I can tell. he passes the user id around as a url parameter, plops it in a cookie when he needs to use that spot for something else (like an order number), then retrieves it afterwards. he treats the actual Auth as a bool.

Facepalm

he's a front end guy who pretty much cowboy coded the whole thing by himself (he's obviously stuck thinking procedurally instead of object orientedly). still, i'm a few months into my first dev job and the problems are glaringly obvious to me

@cchings - you gotta say something. Kudos for you to spotting mistakes. You need to make some proof of concepts or examples of why it sucks. Keep trying to convince them. I've had many dev friends in your shoes right now