Same class as the 11 prior secure-404 fixes, now on customer-cascade-scoped Invoice (invCustId → Customer.custCompId). Collapse 403 "exists but not yours" into 404. Tests pin via auth.getCompanyIdByCustomerId spy.
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/
Same class as the 11 prior secure-404 fixes, now on customer-cascade-scoped Invoice (
invCustId → Customer.custCompId). Collapse 403 "exists but not yours" into 404. Tests pin viaauth.getCompanyIdByCustomerIdspy.Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/