From 3d871604aef5b02ac8af6dada0aaee81d7248cd2 Mon Sep 17 00:00:00 2001
From: Darko Gjorgjijoski <5760249+gdarko@users.noreply.github.com>
Date: Fri, 3 Apr 2026 14:32:12 +0200
Subject: [PATCH] Add company ownership check to clone endpoints (#606)

Verify the source record belongs to the current company before cloning.
Previously, users could clone invoices/estimates from other companies,
leaking sensitive data (amounts, customer details, items, taxes, notes).

The view policy already includes hasCompany() check, so authorizing
view on the source record gates both ability and company ownership.

Ref #574
---
 .../Controllers/V1/Admin/Estimate/CloneEstimateController.php    | 1 +
 app/Http/Controllers/V1/Admin/Invoice/CloneInvoiceController.php | 1 +
 2 files changed, 2 insertions(+)

diff --git a/app/Http/Controllers/V1/Admin/Estimate/CloneEstimateController.php b/app/Http/Controllers/V1/Admin/Estimate/CloneEstimateController.php
index 546b4fcf..64a57f64 100644
--- a/app/Http/Controllers/V1/Admin/Estimate/CloneEstimateController.php
+++ b/app/Http/Controllers/V1/Admin/Estimate/CloneEstimateController.php
@@ -21,6 +21,7 @@ class CloneEstimateController extends Controller
      */
     public function __invoke(Request $request, Estimate $estimate)
     {
+        $this->authorize('view', $estimate);
         $this->authorize('create', Estimate::class);
 
         $date = Carbon::now();
diff --git a/app/Http/Controllers/V1/Admin/Invoice/CloneInvoiceController.php b/app/Http/Controllers/V1/Admin/Invoice/CloneInvoiceController.php
index 77596d64..e3775781 100644
--- a/app/Http/Controllers/V1/Admin/Invoice/CloneInvoiceController.php
+++ b/app/Http/Controllers/V1/Admin/Invoice/CloneInvoiceController.php
@@ -21,6 +21,7 @@ class CloneInvoiceController extends Controller
      */
     public function __invoke(Request $request, Invoice $invoice)
     {
+        $this->authorize('view', $invoice);
         $this->authorize('create', Invoice::class);
 
         $date = Carbon::now();