This PR fixes a security issue where authenticated users could access and modify data belonging to
other users. The isOwnProfileOrAdmin() middleware was missing from several push subscription API
routes. As a result, any authenticated user on the instance could manipulate the userId parameter in
the URL to view or delete the push subscriptions of other users.
