Scope all bulk deletes to current company and fix inverted ownership transfer (#605)

Bulk delete: filter IDs through whereCompany() before deleting in all
controllers (Invoices, Payments, Items, Expenses, Estimates, Recurring
Invoices). Previously, any user could delete records from other companies
by providing cross-company IDs.

Transfer ownership: fix inverted hasCompany() check that allowed
transferring company ownership to users who do NOT belong to the company,
while blocking users who DO belong.

Ref #567

app/Http/Controllers/V1/Admin/Company/CompaniesController.php

@@ -61,10 +61,10 @@ class CompaniesController extends Controller
         $company = Company::find($request->header('company'));
         $this->authorize('transfer company ownership', $company);
 
-        if ($user->hasCompany($company->id)) {
+        if (! $user->hasCompany($company->id)) {
             return response()->json([
                 'success' => false,
-                'message' => 'User does not belongs to this company.',
+                'message' => 'User does not belong to this company.',
             ]);
         }
 

app/Http/Controllers/V1/Admin/Estimate/EstimatesController.php

@@ -68,7 +68,11 @@ class EstimatesController extends Controller
     {
         $this->authorize('delete multiple estimates');
 
-        Estimate::destroy($request->ids);
+        $ids = Estimate::whereCompany()
+            ->whereIn('id', $request->ids)
+            ->pluck('id');
+
+        Estimate::destroy($ids);
 
         return response()->json([
             'success' => true,

app/Http/Controllers/V1/Admin/Expense/ExpensesController.php

@@ -81,7 +81,11 @@ class ExpensesController extends Controller
     {
         $this->authorize('delete multiple expenses');
 
-        Expense::destroy($request->ids);
+        $ids = Expense::whereCompany()
+            ->whereIn('id', $request->ids)
+            ->pluck('id');
+
+        Expense::destroy($ids);
 
         return response()->json([
             'success' => true,

app/Http/Controllers/V1/Admin/Invoice/InvoicesController.php

@@ -100,7 +100,11 @@ class InvoicesController extends Controller
     {
         $this->authorize('delete multiple invoices');
 
-        Invoice::deleteInvoices($request->ids);
+        $ids = Invoice::whereCompany()
+            ->whereIn('id', $request->ids)
+            ->pluck('id');
+
+        Invoice::deleteInvoices($ids);
 
         return response()->json([
             'success' => true,

app/Http/Controllers/V1/Admin/Item/ItemsController.php

@@ -90,7 +90,11 @@ class ItemsController extends Controller
     {
         $this->authorize('delete multiple items');
 
-        Item::destroy($request->ids);
+        $ids = Item::whereCompany()
+            ->whereIn('id', $request->ids)
+            ->pluck('id');
+
+        Item::destroy($ids);
 
         return response()->json([
             'success' => true,

app/Http/Controllers/V1/Admin/Payment/PaymentsController.php

@@ -73,7 +73,11 @@ class PaymentsController extends Controller
     {
         $this->authorize('delete multiple payments');
 
-        Payment::deletePayments($request->ids);
+        $ids = Payment::whereCompany()
+            ->whereIn('id', $request->ids)
+            ->pluck('id');
+
+        Payment::deletePayments($ids);
 
         return response()->json([
             'success' => true,

app/Http/Controllers/V1/Admin/RecurringInvoice/RecurringInvoiceController.php

@@ -84,7 +84,11 @@ class RecurringInvoiceController extends Controller
     {
         $this->authorize('delete multiple recurring invoices');
 
-        RecurringInvoice::deleteRecurringInvoice($request->ids);
+        $ids = RecurringInvoice::whereCompany()
+            ->whereIn('id', $request->ids)
+            ->pluck('id');
+
+        RecurringInvoice::deleteRecurringInvoice($ids);
 
         return response()->json([
             'success' => true,