Kimai's API invoice endpoint missing customer-level access control (IDOR)

Summary GET /api/invoices/id only checks the role-based viewinvoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLETEAMLEAD which grants viewinvoice can read all invoices in the system, including those belonging to customers assigned to...