From 7d9fdb79cccc5fefb084c832bdac046a8e32d31a Mon Sep 17 00:00:00 2001
From: Darko Gjorgjijoski <5760249+gdarko@users.noreply.github.com>
Date: Fri, 3 Apr 2026 14:34:33 +0200
Subject: [PATCH] Scope users listing and search to current company (#607)

Add scopeWhereCompany() to User model using whereHas through the
user_company pivot table. Apply it in UsersController::index() and
SearchController so users only see members of their current company.

Previously, the users page showed ALL users across all companies.

Ref #574
---
 app/Http/Controllers/V1/Admin/General/SearchController.php | 3 ++-
 app/Http/Controllers/V1/Admin/Users/UsersController.php    | 5 +++--
 app/Models/User.php                                        | 7 +++++++
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/V1/Admin/General/SearchController.php b/app/Http/Controllers/V1/Admin/General/SearchController.php
index f5179e44..a81b5c89 100644
--- a/app/Http/Controllers/V1/Admin/General/SearchController.php
+++ b/app/Http/Controllers/V1/Admin/General/SearchController.php
@@ -25,7 +25,8 @@ class SearchController extends Controller
             ->paginate(10);
 
         if ($user->isOwner()) {
-            $users = User::applyFilters($request->only(['search']))
+            $users = User::whereCompany()
+                ->applyFilters($request->only(['search']))
                 ->latest()
                 ->paginate(10);
         }
diff --git a/app/Http/Controllers/V1/Admin/Users/UsersController.php b/app/Http/Controllers/V1/Admin/Users/UsersController.php
index bf0df019..03eb3628 100644
--- a/app/Http/Controllers/V1/Admin/Users/UsersController.php
+++ b/app/Http/Controllers/V1/Admin/Users/UsersController.php
@@ -25,14 +25,15 @@ class UsersController extends Controller
 
         $user = $request->user();
 
-        $users = User::applyFilters($request->all())
+        $users = User::whereCompany()
+            ->applyFilters($request->all())
             ->where('id', '<>', $user->id)
             ->latest()
             ->paginate($limit);
 
         return UserResource::collection($users)
             ->additional(['meta' => [
-                'user_total_count' => User::count(),
+                'user_total_count' => User::whereCompany()->count(),
             ]]);
     }
 
diff --git a/app/Models/User.php b/app/Models/User.php
index b5c575cc..c778ab93 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -213,6 +213,13 @@ class User extends Authenticatable implements HasMedia
         return $query->where('email', 'LIKE', '%'.$email.'%');
     }
 
+    public function scopeWhereCompany($query)
+    {
+        return $query->whereHas('companies', function ($q) {
+            $q->where('company_id', request()->header('company'));
+        });
+    }
+
     public function scopePaginateData($query, $limit)
     {
         if ($limit == 'all') {