validate_admin is spoofable

This simple method takes a string value from a query parameter and checks if that user account has admin privileges. The problem is that anyone can pass in any known admin account and bypass this security measure. There is no attempt to check whether the user making the request owns the account passed.
