customerapi: on cancel check also registration ownership

common/manager/EventRegistrationManager.php

@@ -186,10 +186,13 @@ class EventRegistrationManager extends BaseObject
      * @return array|EventRegistration|ActiveRecord|null
      * @throws NotFoundHttpException
      */
-    public function loadRegistration($idRegistration)
+    public function loadRegistration($idRegistration, $idCustomer)
     {
 
-        $registration = EventRegistration::find()->andWhere(['id' => $idRegistration])->one();
+        $registration = EventRegistration::find()
+            ->andWhere(['id' => $idRegistration])
+            ->andWhere(['id_customer' => $idCustomer])
+            ->one();
         if ($registration === null) {
             throw new NotFoundHttpException('The requested registration does not exist.');
         }
@@ -200,8 +203,12 @@ class EventRegistrationManager extends BaseObject
      * @param EventRegistration $registration
      * @throws ServerErrorHttpException
      */
-    public function cancelRegistration($registration)
+    public function cancelRegistration($registration, $idCustomer)
     {
+        if ( $registration->id_customer != $idCustomer){
+            throw new NotFoundHttpException('The requested registration does not exist.');
+        }
+
         if (isset($registration->canceled_at)) {
             throw new BadRequestHttpException('The registration is already canceled', self::ALREADY_CANCELLED);
         }