fix(api): only allow cloning questions from the same form

Author: Chartman123

lib/Controller/ApiController.php

@@ -562,6 +562,10 @@ public function newQuestion(int $formId, ?string $type = null, ?string $subtype
 
 			try {
 				$sourceQuestion = $this->questionMapper->findById($fromId);
+				// Only allow cloning questions that belong to the same form
+				if ($sourceQuestion->getFormId() !== $formId) {
+					throw new OCSBadRequestException('Question doesn\'t belong to given form');
+				}
 				$sourceOptions = $this->optionMapper->findByQuestion($fromId);
 			} catch (IMapperException $e) {
 				$this->logger->debug('Could not find question');