fix(members): scope member view & update to the acting company

Member view/update bound the target user by global id and authorized only that the requester owns their active company, not that the target belonged to it. Bind the route model under the members param and require shared company membership in UserPolicy so an owner of one company can no longer read or modify users of another.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Darko Gjorgjijoski
2026-06-14 23:42:11 +02:00
parent 8d929ec09d
commit d3202b8b2a
4 changed files with 50 additions and 24 deletions

View File

@@ -52,7 +52,7 @@ class MemberRequest extends FormRequest
$rules['email'] = [
'required',
new IdnEmail,
Rule::unique('users')->ignore($this->user),
Rule::unique('users')->ignore($this->member),
];
$rules['password'] = [
'nullable',