security: high-severity fixes (api throttle, fillable, idor, path, rel)

- Add 60 req/min throttle to the public API group and a stricter 10 req/min
  throttle to POST /highscores.
- Replace mass-assigned $guarded=[] with explicit $fillable on User, Meetup,
  Course, Lecturer, and SelfHostedService. created_by stays out of the
  whitelist; the existing creating() hooks continue to populate it.
- Require authenticated user on Api/MeetupController::index instead of
  trusting the user_id query parameter (IDOR).
- Constrain the /img and /img-public route paths to a safe character set
  and reject any path containing ".." in ImageController.
- Add rel="noopener noreferrer" to every target="_blank" link on the meetup
  and course landing pages.

app/Http/Controllers/ImageController.php

@@ -12,6 +12,8 @@ class ImageController extends Controller
 {
     public function __invoke(Request $request, $path)
     {
+        abort_if(str_contains($path, '..'), 404);
+
         $source = new \League\Flysystem\Filesystem(
             new \League\Flysystem\Local\LocalFilesystemAdapter(storage_path('app'))
         );