Description

The tool-default routes in the core/base plugin (https://github.com/nzzdev/Q-server/blob/dev/plugins/core/base/routes/tool-default.js) use the query param appendItemToPayload to load an item from DB and append it to the POST request to the tool service. Any item can be sent to any tool using this feature.

There should be a check in these handlers to return an error if the item passed in appendItemPayload points to another tool than passed in the route params (part of the URL).