Darko Gjorgjijoski 242b689311 Scope all bulk deletes to current company and fix inverted ownership transfer ...

Bulk delete: filter IDs through whereCompany() before deleting in all
controllers (Invoices, Payments, Items, Expenses, Estimates, Recurring
Invoices). Previously, any user could delete records from other companies
by providing cross-company IDs.

Transfer ownership: fix inverted hasCompany() check that allowed
transferring company ownership to users who do NOT belong to the company,
while blocking users who DO belong.

Ref #567

2026-04-03 14:01:30 +02:00

2.4 KiB

Raw Blame History

View Raw