Easy way to create a new Deck board without permission

Summary:

Admins can decide which groups are allowed to create boards. But a user who is part of an unauthorized group can easily create a new board by cloning an existing one and renaming it.

Steps To Reproduce:

1. As an admin, create user1, group1 and group2, then assign group1 to user1
2. In "Decks" app > "Deck settings", add group2 to the "Limit board creation to some groups" input. It is indicated that

Users outside of those groups will not be able to create their own boards, but will still be able to work on boards that have been shared with them.

3. As user1, in "Decks" app, see that the button "+ Add board" is not displayed, which is expected. Sending the request directly will also fail with a 403 error and a message ""Creating boards has been disabled for your account.".
4. Now click on the "Personal" board options, and choose "Clone board". A copy of the board will be created. You can rename it, and you just created a new board with all "classic" options available. You could also directly send the request POST /nextcloud/apps/deck/boards/board_number/clone.