fix(security): restrict DRAFT list to author — prevent cross-user draft leak

GeschichteService.list() now applies hasAuthor(currentUser()) whenever
status == DRAFT, so BLOG_WRITE users cannot read other users' unpublished stories.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/geschichte/GeschichteService.java

@@ -77,8 +77,10 @@ public class GeschichteService {
         GeschichteStatus effective = currentUserHasBlogWrite() ? status : GeschichteStatus.PUBLISHED;
         int safeLimit = limit <= 0 ? DEFAULT_LIMIT : Math.min(limit, MAX_LIMIT);
 
+        UUID authorId = effective == GeschichteStatus.DRAFT ? currentUser().getId() : null;
         Specification<Geschichte> spec = Specification.allOf(
                 GeschichteSpecifications.hasStatus(effective),
+                GeschichteSpecifications.hasAuthor(authorId),
                 GeschichteSpecifications.hasAllPersons(personIds),
                 GeschichteSpecifications.hasDocument(documentId),
                 GeschichteSpecifications.orderByDisplayDateDesc()

backend/src/main/java/org/raddatz/familienarchiv/geschichte/GeschichteSpecifications.java

@@ -42,6 +42,11 @@ public final class GeschichteSpecifications {
         };
     }
 
+    public static Specification<Geschichte> hasAuthor(UUID authorId) {
+        return (root, query, cb) ->
+                authorId == null ? null : cb.equal(root.get("author").get("id"), authorId);
+    }
+
     public static Specification<Geschichte> hasDocument(UUID documentId) {
         return (root, query, cb) -> {
             if (documentId == null) return null;