Harvest: Invoices can be added to any retainers - even closs-platform

Summary ------ Hey team, there is an IDOR bug, which allows me to add an invoice to any retainer I wish, even if the retainer belongs to another app/subdomain. Steps to reproduce --------- 1. Make sure you have two apps A and B 2. In A create a retainer, let's say it has id 1234. 3. In B open thi...