webservices appear to be missing context and capability checks.

[danmarsden]

looks like anyone can call the webservice functions and update data for any users in the site.

please ensure that you add context and appropriate capability checks, for example

$context = context_course::instance($group->courseid);
self::validate_context($context);
require_capability('moodle/course:managegroups', $context);

More information on the correct set up of a webservice is in the docs here: https://docs.moodle.org/dev/Adding_a_web_service_to_a_plugin

[Tunyesz]

Added validation and required capabilities #9