[P0] Fix authorization bypass in schedule finish endpoint

[jjoonleo]

Problem

PUT /schedules/{scheduleId}/finish ignores the scheduleId path parameter and updates the schedule ID supplied in the request body. The service method that writes lateness status loads the schedule directly by ID without checking that it belongs to the authenticated user.

Why this is not production ready

Any authenticated user who can obtain or guess another schedule UUID can update another user's schedule completion/lateness state. This affects user data integrity and punctuality score calculations.

Evidence

• ScheduleController.finishSchedule maps @PutMapping("/{scheduleId}/finish") but does not declare or use @PathVariable UUID scheduleId.
• ScheduleService.finishSchedule(Long userId, FinishPreparationDto finishPreparationDto) calls updateLatenessTime(finishPreparationDto).
• ScheduleService.updateLatenessTime calls scheduleRepository.findById(scheduleId) and updates the schedule without ownership validation.
• Existing helper getScheduleWithAuthorization(scheduleId, userId) is not used here.

Required work

• Make the endpoint use the path scheduleId as the authoritative schedule identifier.
• Remove scheduleId from the body or validate that body/path match.
• In finishSchedule, load the schedule with getScheduleWithAuthorization(scheduleId, userId) before mutation.
• Add regression tests proving a user cannot finish another user's schedule.
• Decide whether repeated finish calls should be idempotent or rejected and test that behavior.

Acceptance criteria

• Cross-user schedule finish attempts return an authorization error and do not mutate schedule or score.
• Path/body mismatch is rejected with a clear 400 response if body ID remains supported.
• Tests cover success, missing schedule, wrong owner, and path/body mismatch.