fix: scim v2 endpoints enforce user resource owner (#9273)

# Which Problems Are Solved
- If a SCIM endpoint is called with an orgID in the URL that is not the
resource owner, no error is returned, and the action is executed.

# How the Problems Are Solved
- The orgID provided in the SCIM URL path must match the resource owner
of the target user. Otherwise, an error will be returned.

# Additional Context

Part of https://github.com/zitadel/zitadel/issues/8140

internal/api/scim/resources/user.go

@@ -180,7 +180,8 @@ func (h *UsersHandler) Replace(ctx context.Context, id string, user *ScimUser) (
 }
 
 func (h *UsersHandler) Update(ctx context.Context, id string, operations patch.OperationCollection) error {
-	userWM, err := h.command.UserHumanWriteModel(ctx, id, true, true, true, true, false, false, true)
+	orgID := authz.GetCtxData(ctx).OrgID
+	userWM, err := h.command.UserHumanWriteModel(ctx, id, orgID, true, true, true, true, false, false, true)
 	if err != nil {
 		return err
 	}
@@ -191,6 +192,9 @@ func (h *UsersHandler) Update(ctx context.Context, id string, operations patch.O
 		return err
 	}
 
+	// ensure the identity of the user is not modified
+	changeHuman.ID = id
+	changeHuman.ResourceOwner = orgID
 	return h.command.ChangeUserHuman(ctx, changeHuman, h.userCodeAlg)
 }
 
@@ -200,12 +204,12 @@ func (h *UsersHandler) Delete(ctx context.Context, id string) error {
 		return err
 	}
 
-	_, err = h.command.RemoveUserV2(ctx, id, memberships, grants...)
+	_, err = h.command.RemoveUserV2(ctx, id, authz.GetCtxData(ctx).OrgID, memberships, grants...)
 	return err
 }
 
 func (h *UsersHandler) Get(ctx context.Context, id string) (*ScimUser, error) {
-	user, err := h.query.GetUserByID(ctx, false, id)
+	user, err := h.query.GetUserByIDWithResourceOwner(ctx, false, id, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}