CVE-2026-49338: Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)

In gonic, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can:

1. Delete any playlist owned by any other user (including admin) by passing its id.
2. Read the full contents (name, comment, song list) of any other user’s private (non-public) playlist by passing its id.

The Subsonic playlist id is base64url("<userID>/<filename>.m3u"). Because filenames are user-supplied or time-derived and the userID is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID).

This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator’s curated playlists, and a user can exfiltrate any private playlist they obtain an ID for.