fix: close access control gaps in restrictAccess and admin user actions (wd-u7r)

1. Uncomment redirectTo in restrictAccess() so non-Editor/Admin users are
   actually redirected away instead of silently proceeding to protected actions.

2. Remove unlockUser,toggleUserLock from checkAdminAccess except list so these
   admin-only operations require admin role instead of just authentication.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: bpamiri

app/controllers/Controller.cfc

@@ -92,7 +92,7 @@ component extends="wheels.Controller" {
 
         // Allow only specific roles
         if (!listFindNoCase("Editor,Admin", session.role)) {
-            // redirectTo(controller="HomeController", action="index");
+            redirectTo(controller="HomeController", action="index");
             return false;
         }
 

app/controllers/admin/UserController.cfc

@@ -5,7 +5,7 @@ component extends="app.Controllers.Controller" {
         super.config();
         verifies(except="index,loadUsers,loadRoles,addUser,store,delete,profile,changePassword,updatePassword,updateProfilePic,checkAdminAccess,unlockUser,toggleUserLock", params="key", paramsTypes="integer", handler="index");
         usesLayout(template="/admin/AdminController/layout", except="changePassword,updatePassword,updateProfilePic" );
-        filters(through="checkAdminAccess", except="changePassword,updatePassword,updateProfilePic,unlockUser,toggleUserLock");
+        filters(through="checkAdminAccess", except="changePassword,updatePassword,updateProfilePic");
         filters(through="checkUserAccess", only="changePassword,updatePassword,updateProfilePic");
         filters(through="checkRoleAccess", only="index,addUser,delete");
     }