server: ensure only own notifications can be marked as read

Exploiting this before should already have been rather difficult because you
would need to know or guess the notification's ID. It is also of relatively
low security impact.

Changelog: Fixed

packages/backend/src/server/api/common/read-notification.ts

@@ -13,6 +13,7 @@ export async function readNotification(
 
 	// Update documents
 	const result = await Notifications.update({
+		notifieeId: userId,
 		id: In(notificationIds),
 		isRead: false,
 	}, {