Make sure teachers can't upload videos into arbitrary series.

By only accepting the series param if on $courseid==$SITE->id.

addvideo.php

@@ -35,7 +35,11 @@
 require_once($CFG->dirroot . '/repository/lib.php');
 
 $courseid = required_param('courseid', PARAM_INT);
-$series = optional_param('series', null, PARAM_ALPHANUMEXT);
+if ($courseid == $SITE->id) {
+    $series = optional_param('series', null, PARAM_ALPHANUMEXT);
+} else {
+    $series = null;
+}
 $ocinstanceid = optional_param('ocinstanceid', settings_api::get_default_ocinstance()->id, PARAM_INT);
 
 $baseurlparams = [