gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host

An authenticated non-admin Subsonic user sends a `createPlaylist` API request with a crafted `id` parameter whose base64-decoded value contains `../` sequences (e.g., `pl -../../../var/log/anything.log`). The unreachable guard causes the owner check to always pass [ref_id=1]. `Store.Write` resolves the traversal via `filepath.Join`, creating the M3U file (and intermediate directories with `0o777` permissions) at an attacker-controlled absolute path [ref_id=1]. The write is M3U-structured but the `name` field is attacker-controlled, enabling overwrite of any file the gonic process can write.

`server/ctrlsubsonic/handlers_playlist.go:74-90` contains an unreachable guard clause—`Store.Read` never returns `(non-nil, non-nil-err)`, so the ownership check `playlist.UserID != 0 && playlist.UserID != user.ID` is always bypassed. Additionally, `playlist/playlist.go:146-160` (`Store.Write`) uses `filepath.Join` without any path-containment check, allowing `..` traversal to escape the base directory.

The patch fixes two root causes found in the advisory [ref_id=1]. First, in `handlers_playlist.go:83`, the condition `err != nil && pl != nil` is corrected to `err == nil && pl != nil` so the ownership guard actually executes when a playlist is read successfully. Second, in `playlist/playlist.go`, a path-containment check is added after `filepath.Join`: computing the relative path from `basePath` and rejecting the write if the resolved path escapes the intended playlist directory. The same sanitization should also be applied to `Read()` and `Delete()`. Together these changes prevent both the logic bypass and the directory traversal.

See ref_id=1 for a Go test (`TestCreatePlaylistArbitraryWrite_RawPath`) and a curl example that write a file outside the intended playlist directory via a traversal payload.