right protection is missing on the server side
many bugs lead to authorize users to do unauthorized actions (see CMS-2034, or the link 'add a file' in the choose resources box)

we have to add the protection on the server side on all actions to prevent all this kind of bugs and of course any hacking