Summary
POST /v1/timeentry sets teCompId from auth scope but only validates that teCustId is an integer. A scoped caller could reference a customer from another company if they know the ID.
Proposed fix
Before insert, resolve Customer.custCompId for teCustId and reject (400/404) if it does not match the effective company. Same pattern as indirect-scoped entities in _bulk-helpers.js.
Acceptance criteria
Source
Code review backlog (2026-06-23)
Summary
POST /v1/timeentrysetsteCompIdfrom auth scope but only validates thatteCustIdis an integer. A scoped caller could reference a customer from another company if they know the ID.Proposed fix
Before insert, resolve
Customer.custCompIdforteCustIdand reject (400/404) if it does not match the effective company. Same pattern as indirect-scoped entities in_bulk-helpers.js.Acceptance criteria
teCustIdrejected on createSource
Code review backlog (2026-06-23)