(almost) no permission/sanity checks for annotation getting/saving

[daniil-berg]

In getannotation.php and saveannotation.php there aren't any permission checks preventing someone from accessing arbitrary annotation data and saving unlimited amounts of data to the DB respectively, as long as he has the mod/quiz:grade permission. In the first case this is a potential data leak, in the second case this opens the door for flooding the database because there are no checks made with $attemptid and $attemptcount. (Someone could just create new database entries just by changing those parameters.)

[nexterday]

Im sorry to disappoint you, but also having admin right (or teacher right), I can simply wipe all courses.. may I suggest you have a look at the Risk section in: https://docs.moodle.org/311/en/Risks

For us, whoever able to grade a question/quiz is a trusted person, so this check is sufficient for us. shall you want an extra check, please share your idea - as far as I know, all checks land you into the Risks outlined in the link above.