Scope bulk delete to current company to prevent cross-company deletion

Filter customer IDs through whereCompany() before passing to
deleteCustomers(), ensuring users cannot delete customers belonging
to other companies via the bulk delete endpoint.

app/Http/Controllers/V1/Admin/Customer/CustomersController.php

@@ -92,7 +92,11 @@ class CustomersController extends Controller
     {
         $this->authorize('delete multiple customers');
 
-        Customer::deleteCustomers($request->ids);
+        $ids = Customer::whereCompany()
+            ->whereIn('id', $request->ids)
+            ->pluck('id');
+
+        Customer::deleteCustomers($ids);
 
         return response()->json([
             'success' => true,

tests/Feature/Admin/CustomerTest.php

@@ -181,3 +181,17 @@ test('cannot update customer from another company', function () {
     ])->assertForbidden();
 });
 
+test('cannot bulk delete customer from another company', function () {
+    $otherCompany = Company::factory()->create();
+    $otherCustomer = Customer::factory()->create([
+        'company_id' => $otherCompany->id,
+    ]);
+
+    postJson('api/v1/customers/delete', [
+        'ids' => [$otherCustomer->id],
+    ])->assertOk();
+
+    $this->assertDatabaseHas('customers', [
+        'id' => $otherCustomer->id,
+    ]);
+});