fix(auth): Schiffsdaten und Skipper-Profil nur für Logbuch-Eigner

Eingeladene Crew (WRITE) sieht Schiffsdaten und Skipper-Profil schreibgeschützt; Server-Sync lehnt entsprechende Änderungen ab.

Co-authored-by: Cursor <cursoragent@cursor.com>

server/src/routes/sync.ts

@@ -121,6 +121,17 @@ router.post('/push', async (req: any, res) => {
           continue
         }
 
+        if (!isOwner && (type === 'yacht' || (type === 'crew' && payloadId === 'skipper'))) {
+          results.push({
+            payloadId,
+            status: 'error',
+            error: type === 'yacht'
+              ? 'Forbidden: Only owner can modify vessel data'
+              : 'Forbidden: Only owner can modify skipper profile'
+          })
+          continue
+        }
+
         if (action === 'delete') {
           if (type === 'yacht') {
             await prisma.yachtPayload.deleteMany({ where: { logbookId } })