I have a security problem while doing a scorm course.
After completing the course POST is sent to mod/scorm/datamodel.php. In POST are sent, among others result and status.
I copied cookie (MoodleSession) and POST values along with sesskey to Postman. I replaced POST cmi.core.score.raw with a higher one and sent the request again. The data in the database has been updated. Any user who does a scorm course can update data in the database.
Is there any way of authorization to catch the situation when the user tries to substitute values in the database in this way?