Member view/update bound the target user by global id and authorized only that the requester owns their active company, not that the target belonged to it. Bind the route model under the members param and require shared company membership in UserPolicy so an owner of one company can no longer read or modify users of another.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
v3 port of the v2 authorization fixes.
- Notes IDOR (GHSA-85wc): NotePolicy checks the note's company_id and
NotesController passes the bound model to authorize() on show/update/destroy.
- Estimate<->Invoice convert IDOR (GHSA-j2vg): EstimatesController::convertToInvoice
and InvoicesController::convertToEstimate authorize 'view' on the source
document before creating the target.
- Member bulk-delete (GHSA-wxrv): MembersController scopes ids via
User::whereCompany() before MemberService::delete.
Adds feature tests for cross-company 403s + same-company happy paths.