Fix: Datenschutz Hintergrundbild + Dog-Refresh nach Anlegen (SW by-v928)

- dogs.py: welcome-dashboard Foto-Queries filtern jetzt auch nach user_id
- worlds.js: Background Cache-Key enthält user_id (kein Cross-User Leakage)
- worlds.js: Worlds.refresh(appState) neu
- dog-profile.js: Worlds.refresh() nach Hund anlegen aufrufen

backend/routes/dogs.py

@@ -191,23 +191,24 @@ async def get_welcome_dashboard(dog_id: int, user=Depends(get_current_user)):
             raise HTTPException(404, "Hund nicht gefunden.")
 
         # Hintergrundfoto: Querformat-Bilder bevorzugt, tagesweise rotierend
+        # user_id-Filter als zweite Sicherungsebene (dog_id-Ownership bereits oben geprüft)
         photos = conn.execute(
             """SELECT dm.url FROM diary_media dm
                JOIN diary d ON d.id = dm.diary_id
-               WHERE d.dog_id=? AND dm.media_type='image'
+               WHERE d.dog_id=? AND d.user_id=? AND dm.media_type='image'
                  AND dm.img_width IS NOT NULL AND dm.img_width > dm.img_height
                ORDER BY d.datum DESC, d.id DESC, dm.id ASC""",
-            (dog_id,)
+            (dog_id, user["id"])
         ).fetchall()
         # Fallback: Bilder ohne Dimensionsdaten (vor dem Backfill hochgeladen)
         if not photos:
             photos = conn.execute(
                 """SELECT dm.url FROM diary_media dm
                    JOIN diary d ON d.id = dm.diary_id
-                   WHERE d.dog_id=? AND dm.media_type='image'
+                   WHERE d.dog_id=? AND d.user_id=? AND dm.media_type='image'
                      AND dm.img_width IS NULL
                    ORDER BY d.datum DESC, d.id DESC, dm.id ASC""",
-                (dog_id,)
+                (dog_id, user["id"])
             ).fetchall()
         random_photo = None
         if photos: