CVE-2021-40692

Insufficient capability checks made it possible for teachers to download users outside of their courses.