Fix check for relative mag paths in datasource validation (#8720)

Relative paths in datasource-properties.json are supposed to be
interpreted as relative to the dataset directory. This particular
codepath resolved them in the current working directory, which yields
wrong results.

Note that this code will probably be changed soon again, when we make
those paths (mostly) immutable.

### Steps to test:
(I already tested locally)
- Change datasource with explicit mag paths in allowed way, should work
- Change a relative mag path to point outside of the organization
directory (using `..`), should still be rejected

### Issues:
- fixes https://scm.slack.com/archives/C5AKLAV0B/p1750859466889959

------
- [x] Added changelog entry (create a `$PR_NUMBER.md` file in
`unreleased_changes` or use `./tools/create-changelog-entry.py`)
- [x] Needs datastore update after deployment

Author: fm3

unreleased_changes/8720.md

@@ -0,0 +1,2 @@
+### Fixed
+- Fixed a bug where the checks on relative paths were too strict when editing dataset settings.

webknossos-datastore/app/com/scalableminds/webknossos/datastore/services/DataSourceService.scala

@@ -226,7 +226,10 @@ class DataSourceService @Inject()(
       val uri = new URI(pathStr)
       if (DataVaultService.isRemoteScheme(uri.getScheme)) true
       else {
-        val path = Path.of(new URI(pathStr).getPath).normalize().toAbsolutePath
+        val path = organizationDir
+          .resolve(dataSource.id.directoryName)
+          .resolve(Path.of(new URI(pathStr).getPath).normalize())
+          .toAbsolutePath
         val allowedParent = organizationDir.toAbsolutePath
         if (path.startsWith(allowedParent)) true else false
       }