CVE-2026-47227: Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php`

modules/categories.php checks that the supplied type parameter (ANN, EVT, ROL, USF, …) corresponds to a module the actor administers. The follow-up “is this specific category editable by me” check at lines 56-61 is dead code because it compares $getType (a category-type code) against mode names (edit/save/delete); the condition is permanently false, so $category->isEditable() is never invoked. The delete, sequence, and save switch cases load the category by the supplied UUID and act on it without re-checking that the category belongs to a module the actor administers. A user holding only one module-administrator right can therefore destroy or reorder empty categories belonging to other modules — for example, an announcements administrator can delete role categories, profile-field categories, or weblink categories that they have no right to touch.