Add company ownership check to clone endpoints (#606)

Verify the source record belongs to the current company before cloning.
Previously, users could clone invoices/estimates from other companies,
leaking sensitive data (amounts, customer details, items, taxes, notes).

The view policy already includes hasCompany() check, so authorizing
view on the source record gates both ability and company ownership.

Ref #574

app/Http/Controllers/V1/Admin/Estimate/CloneEstimateController.php

@@ -21,6 +21,7 @@ class CloneEstimateController extends Controller
      */
     public function __invoke(Request $request, Estimate $estimate)
     {
+        $this->authorize('view', $estimate);
         $this->authorize('create', Estimate::class);
 
         $date = Carbon::now();

app/Http/Controllers/V1/Admin/Invoice/CloneInvoiceController.php

@@ -21,6 +21,7 @@ class CloneInvoiceController extends Controller
      */
     public function __invoke(Request $request, Invoice $invoice)
     {
+        $this->authorize('view', $invoice);
         $this->authorize('create', Invoice::class);
 
         $date = Carbon::now();