In the DOCS: For a multisig input (whether pay-to-scripthash or bare multisig), the address corresponding to at least one of the pubkeys, or the pay-to-scripthash address itself, must have send permissions.
I would like to know if the blockchain checks that one of the submitted signatures in the tx inputs transaction has send permissions because if not then, there is a chance for foul play.
Come to think of it, A Malicious user can scan the blockchain for an old transaction that has a valid anyone can send permission,
create a new new 2 in 3 multsig address using two addresses that cannot send and the address that can send. he can use this to receive coins and send without ever having to require send permission.