Protecting the answers download endpoint

[pjotrsavitski]

The endpoint for downloading answers should have a better protection that just checking the UUID of the Session Entity. In future versions that identifier is planned to be used with the URLs instead of the serial identifier, making that available to all the participants with the URL to the session page.

The best approach would be to check for the update permission on the entity itself, but that would limit it to only be available to the authenticated users.
Another approach would be to generate some unique token and allow that to be used instead. Ideally, the token would be short-lived and/or not part of the URL. Potentially passed as a header of the HTTP request.