Describe the bug
The manual check-in endpoint (/control/event/<organizer>/<event>/checkinlists/<checkin_list_id>/) allows users to POST arbitrary OrderPosition IDs. Currently, there is no validation to ensure that the position belongs to the event or check-in list. This can lead to unauthorized check-ins.

Expected behavior
The system should validate that each OrderPosition belongs to the event and is allowed in the check-in list. Invalid positions should be rejected or ignored.

Additional context

• Impact: An attacker could check in attendees to events they shouldn’t have access to by guessing or obtaining valid position IDs.
• Related tests: test_manual_checkins, test_manual_checkins_revert in tests/control/test_checkins.py.
• Proposed fix: Add authorization checks in the endpoint:
  1. Verify op.order.event == checkin_list.event.
  2. If checkin_list.all_products=False, verify op.item is in checkin_list.limit_products.