Merge pull request #3362 from nextcloud/backport/3361/stable5.2

[stable5.2] fix: only clone question from same form

Author: Chartman123

lib/Controller/ApiController.php

@@ -533,6 +533,10 @@ public function newQuestion(int $formId, ?string $type = null, string $text = ''
 
 			try {
 				$sourceQuestion = $this->questionMapper->findById($fromId);
+				// Only allow cloning questions that belong to the same form
+				if ($sourceQuestion->getFormId() !== $formId) {
+					throw new OCSBadRequestException('Question doesn\'t belong to given form');
+				}
 				$sourceOptions = $this->optionMapper->findByQuestion($fromId);
 			} catch (IMapperException $e) {
 				$this->logger->debug('Could not find question');