PressPrimer Quiz <= 2.3.0 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Modification via 'quiz_id', 'item_id', and 'rule_id' Parameters

An authenticated attacker with at least the `pressprimer_quiz_manage_own` capability (custom-level access and above) can send crafted REST API requests to the `/ppq/v1/quizzes/{quiz_id}/rules/{rule_id}` endpoints, supplying another teacher's `quiz_id` and `rule_id` parameters. Because the original code only verified the user had the general capability to manage quizzes — not that they owned the targeted quiz — the attacker could modify or delete quiz rules belonging to other teachers, tampering with their quiz structure. The same IDOR pattern existed on the quiz items endpoints.

The vulnerability resides in the REST controller `includes/api/class-ppq-rest-controller.php` (versions ≤ 2.3.0). The `get_quiz_rules`, `create_quiz_rule`, `update_quiz_rule`, `delete_quiz_rule`, and `reorder_quiz_rules` handlers, along with the corresponding quiz items handlers, lacked ownership validation — they only checked the generic `check_permission()` capability without verifying that the `quiz_id` or `rule_id` belonged to the authenticated user. The patch introduces a shared `get_owned_quiz_or_error()` helper that enforces ownership on every per-quiz endpoint [patch_id=6466790].

The patch adds a private `get_owned_quiz_or_error()` method that loads the quiz by ID and checks whether the current user owns it (or has the `pressprimer_quiz_manage_all` capability to bypass). Every quiz items and quiz rules handler now calls this helper at the top of its function body, returning a 403 error if the user does not own the quiz. Additionally, single-object handlers (`update_quiz_item`, `delete_quiz_item`, `update_quiz_rule`, `delete_quiz_rule`) verify that the child record's `quiz_id` matches the URL's `quiz_id`, and the reorder endpoints validate every supplied ID belongs to the URL's quiz before performing the reorder [patch_id=6466790].