Update getEvents and getResponses backend routes

[KrishivGubba]

Summary

Closes #199

Fixes a privacy bug where GET /api/events/{eventId} and GET /api/events/{eventId}/responses returned all responses with full user details despite blindAvailabilityEnabled being set.

Solution

Implemented server-side filtering for both endpoints:

getEvent Endpoint

• Returns full event data only if blindAvailabilityEnabled is false OR user is the owner
• For non-owners: privatizes ownerId, numResponses, and filters responses to only include the requester's response
  • Note: The list of privatized fields can be modified—please advise if changes are needed
• Supports guest users via guestName query parameter
• Returns empty/zero values for private fields instead of removing them (to preserve response shape for frontend logic)

getResponses Endpoint

• Returns all responses only if blindAvailabilityEnabled is false OR user is the owner
• For non-owners: returns only the requester's response (by userId or guestName)
• For guest users: returns empty map

Other Changes

• Added check in updateEventResponse to prevent non-owners from setting guest availability when blindAvailabilityEnabled is true
• Added frontend validation in setSlots plugin API method to reject guest name parameters for non-owners on events with blindAvailabilityEnabled
• Frontend now passes guestName query parameter to both endpoints for proper filtering

Limitations

One caveat: for private events, a non-owner could technically spoof a guest's availability by guessing a guest name and sending it as a query param. The only real fix would be session-based auth for guests, which feels like overkill since the data isn't very sensitive and guessing guest names isn't trivial.

[jonyTF]

what's the point of eventIdKey?

[jonyTF]

doesn't seem to be used anywhere, seems redundant with guestNameKey