IDOR on /api/loa/user/:userId and /api/strikes/user/:userId in cobc-events

Endpoints returning another user's LoA/strikes only required `view_own_*` permission and did not enforce that the caller owned the path parameter, allowing any authenticated host to read other users' history.

Endpoints returning another user's LoA/strikes only required view_own_* permission and did not enforce that the caller owned the path parameter, allowing any authenticated host to read other users' history.