From c1ac1647f67244c3c03a90ed0722cee34cec1269 Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Wed, 19 Oct 2022 09:33:00 +1100
Subject: [PATCH] Fixes for policies

---
 app/Policies/EntityPolicy.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/Policies/EntityPolicy.php b/app/Policies/EntityPolicy.php
index c7c45f28e9e6..99ca027916e3 100644
--- a/app/Policies/EntityPolicy.php
+++ b/app/Policies/EntityPolicy.php
@@ -49,8 +49,8 @@ class EntityPolicy
         return ($user->isAdmin() && $entity->company_id == $user->companyId())
             || ($user->hasPermission('edit_'.strtolower(\Illuminate\Support\Str::snake(class_basename($entity)))) && $entity->company_id == $user->companyId())
             || ($user->hasPermission('edit_all') && $entity->company_id == $user->companyId())
-            || $user->owns($entity)
-            || $user->assigned($entity);
+            || ($user->owns($entity) && $entity->company_id == $user->companyId())
+            || ($user->assigned($entity) && $entity->company_id == $user->companyId());
     }
 
     /**
@@ -66,7 +66,7 @@ class EntityPolicy
         return ($user->isAdmin() && $entity->company_id == $user->companyId())
             || ($user->hasPermission('view_'.strtolower(\Illuminate\Support\Str::snake(class_basename($entity)))) && $entity->company_id == $user->companyId())
             || ($user->hasPermission('view_all') && $entity->company_id == $user->companyId())
-            || $user->owns($entity)
-            || $user->assigned($entity);
+            || ($user->owns($entity) && $entity->company_id == $user->companyId())
+            || ($user->assigned($entity) && $entity->company_id == $user->companyId());
     }
 }