Protect routes and queries

[Seerden]

Data should be bound and only accessible to the user that owns it.

• implement middleware to disallow reading, writing data that doesn't belong to the user making the request
• do a once-over to check that we only insert ids into database queries using session values, not using request information