security: high-severity fixes (api throttle, fillable, idor, path, rel)

- Add 60 req/min throttle to the public API group and a stricter 10 req/min
  throttle to POST /highscores.
- Replace mass-assigned $guarded=[] with explicit $fillable on User, Meetup,
  Course, Lecturer, and SelfHostedService. created_by stays out of the
  whitelist; the existing creating() hooks continue to populate it.
- Require authenticated user on Api/MeetupController::index instead of
  trusting the user_id query parameter (IDOR).
- Constrain the /img and /img-public route paths to a safe character set
  and reject any path containing ".." in ImageController.
- Add rel="noopener noreferrer" to every target="_blank" link on the meetup
  and course landing pages.

app/Models/User.php

@@ -24,7 +24,28 @@ class User extends Authenticatable implements CipherSweetEncrypted
     use Notifiable;
     use UsesCipherSweet;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'email',
+        'password',
+        'email_verified_at',
+        'remember_token',
+        'profile_photo_path',
+        'public_key',
+        'is_lecturer',
+        'is_leader',
+        'current_team_id',
+        'current_language',
+        'timezone',
+        'lightning_address',
+        'lnurl',
+        'node_id',
+        'paynym',
+        'nostr',
+        'lnbits',
+        'change',
+        'change_time',
+    ];
 
     /**
      * The attributes that should be hidden for serialization.