Missing perm/limit checks in multiple places

[ChrisChrome]

At multiple points in the API, there seems to be a lack of permission checks, and limit checks

This affects too many endpoints to name here, examples are welcome to be posted as comments

[erkinalp]

Numeric limits are intentionally not enforced in certain endpoints, some due to the administrative nature of the endpoint, others due to the fact we do not yet have the corresponding configuration facilities for those limits. Need to identify which non-enforcements are intentional and which ones are overlooked.