chore: prepare for PR

app/Livewire/Project/Shared/ResourceOperations.php

@@ -49,9 +49,10 @@ public function cloneTo($destination_id)
     {
         $this->authorize('update', $this->resource);
 
-        $new_destination = StandaloneDocker::find($destination_id);
+        $teamScope = fn ($q) => $q->where('team_id', currentTeam()->id);
+        $new_destination = StandaloneDocker::whereHas('server', $teamScope)->find($destination_id);
         if (! $new_destination) {
-            $new_destination = SwarmDocker::find($destination_id);
+            $new_destination = SwarmDocker::whereHas('server', $teamScope)->find($destination_id);
         }
         if (! $new_destination) {
             return $this->addError('destination_id', 'Destination not found.');
@@ -352,7 +353,7 @@ public function moveTo($environment_id)
     {
         try {
             $this->authorize('update', $this->resource);
-            $new_environment = Environment::findOrFail($environment_id);
+            $new_environment = Environment::ownedByCurrentTeam()->findOrFail($environment_id);
             $this->resource->update([
                 'environment_id' => $environment_id,
             ]);

app/Policies/StandaloneDockerPolicy.php

@@ -37,8 +37,7 @@ public function create(User $user): bool
      */
     public function update(User $user, StandaloneDocker $standaloneDocker): bool
     {
-        // return $user->isAdmin() && $user->teams->contains('id', $standaloneDocker->server->team_id);
-        return true;
+        return $user->teams->contains('id', $standaloneDocker->server->team_id);
     }
 
     /**
@@ -46,8 +45,7 @@ public function update(User $user, StandaloneDocker $standaloneDocker): bool
      */
     public function delete(User $user, StandaloneDocker $standaloneDocker): bool
     {
-        // return $user->isAdmin() && $user->teams->contains('id', $standaloneDocker->server->team_id);
-        return true;
+        return $user->teams->contains('id', $standaloneDocker->server->team_id);
     }
 
     /**
@@ -55,8 +53,7 @@ public function delete(User $user, StandaloneDocker $standaloneDocker): bool
      */
     public function restore(User $user, StandaloneDocker $standaloneDocker): bool
     {
-        // return false;
-        return true;
+        return false;
     }
 
     /**
@@ -64,7 +61,6 @@ public function restore(User $user, StandaloneDocker $standaloneDocker): bool
      */
     public function forceDelete(User $user, StandaloneDocker $standaloneDocker): bool
     {
-        // return false;
-        return true;
+        return false;
     }
 }

app/Policies/SwarmDockerPolicy.php

@@ -37,8 +37,7 @@ public function create(User $user): bool
      */
     public function update(User $user, SwarmDocker $swarmDocker): bool
     {
-        // return $user->isAdmin() && $user->teams->contains('id', $swarmDocker->server->team_id);
-        return true;
+        return $user->teams->contains('id', $swarmDocker->server->team_id);
     }
 
     /**
@@ -46,8 +45,7 @@ public function update(User $user, SwarmDocker $swarmDocker): bool
      */
     public function delete(User $user, SwarmDocker $swarmDocker): bool
     {
-        // return $user->isAdmin() && $user->teams->contains('id', $swarmDocker->server->team_id);
-        return true;
+        return $user->teams->contains('id', $swarmDocker->server->team_id);
     }
 
     /**
@@ -55,8 +53,7 @@ public function delete(User $user, SwarmDocker $swarmDocker): bool
      */
     public function restore(User $user, SwarmDocker $swarmDocker): bool
     {
-        // return false;
-        return true;
+        return false;
     }
 
     /**
@@ -64,7 +61,6 @@ public function restore(User $user, SwarmDocker $swarmDocker): bool
      */
     public function forceDelete(User $user, SwarmDocker $swarmDocker): bool
     {
-        // return false;
-        return true;
+        return false;
     }
 }

bootstrap/helpers/applications.php

@@ -191,6 +191,10 @@ function clone_application(Application $source, $destination, array $overrides =
     $uuid = $overrides['uuid'] ?? (string) new Cuid2;
     $server = $destination->server;
 
+    if ($server->team_id !== currentTeam()->id) {
+        throw new \RuntimeException('Destination does not belong to the current team.');
+    }
+
     // Prepare name and URL
     $name = $overrides['name'] ?? 'clone-of-'.str($source->name)->limit(20).'-'.$uuid;
     $applicationSettings = $source->settings;

tests/Feature/ResourceOperationsCrossTenantTest.php

@@ -0,0 +1,85 @@
+<?php
+
+use App\Livewire\Project\Shared\ResourceOperations;
+use App\Models\Application;
+use App\Models\Environment;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\Team;
+use App\Models\User;
+use Livewire\Livewire;
+
+beforeEach(function () {
+    // Team A (attacker's team)
+    $this->userA = User::factory()->create();
+    $this->teamA = Team::factory()->create();
+    $this->userA->teams()->attach($this->teamA, ['role' => 'owner']);
+
+    $this->serverA = Server::factory()->create(['team_id' => $this->teamA->id]);
+    $this->destinationA = StandaloneDocker::factory()->create(['server_id' => $this->serverA->id]);
+    $this->projectA = Project::factory()->create(['team_id' => $this->teamA->id]);
+    $this->environmentA = Environment::factory()->create(['project_id' => $this->projectA->id]);
+
+    $this->applicationA = Application::factory()->create([
+        'environment_id' => $this->environmentA->id,
+        'destination_id' => $this->destinationA->id,
+        'destination_type' => $this->destinationA->getMorphClass(),
+    ]);
+
+    // Team B (victim's team)
+    $this->teamB = Team::factory()->create();
+    $this->serverB = Server::factory()->create(['team_id' => $this->teamB->id]);
+    $this->destinationB = StandaloneDocker::factory()->create(['server_id' => $this->serverB->id]);
+    $this->projectB = Project::factory()->create(['team_id' => $this->teamB->id]);
+    $this->environmentB = Environment::factory()->create(['project_id' => $this->projectB->id]);
+
+    $this->actingAs($this->userA);
+    session(['currentTeam' => $this->teamA]);
+});
+
+test('cloneTo rejects destination belonging to another team', function () {
+    Livewire::test(ResourceOperations::class, ['resource' => $this->applicationA])
+        ->call('cloneTo', $this->destinationB->id)
+        ->assertHasErrors('destination_id');
+
+    // Ensure no cross-tenant application was created
+    expect(Application::where('destination_id', $this->destinationB->id)->exists())->toBeFalse();
+});
+
+test('cloneTo allows destination belonging to own team', function () {
+    $secondDestination = StandaloneDocker::factory()->create(['server_id' => $this->serverA->id]);
+
+    Livewire::test(ResourceOperations::class, ['resource' => $this->applicationA])
+        ->call('cloneTo', $secondDestination->id)
+        ->assertHasNoErrors('destination_id')
+        ->assertRedirect();
+});
+
+test('moveTo rejects environment belonging to another team', function () {
+    Livewire::test(ResourceOperations::class, ['resource' => $this->applicationA])
+        ->call('moveTo', $this->environmentB->id);
+
+    // Resource should still be in original environment
+    $this->applicationA->refresh();
+    expect($this->applicationA->environment_id)->toBe($this->environmentA->id);
+});
+
+test('moveTo allows environment belonging to own team', function () {
+    $secondEnvironment = Environment::factory()->create(['project_id' => $this->projectA->id]);
+
+    Livewire::test(ResourceOperations::class, ['resource' => $this->applicationA])
+        ->call('moveTo', $secondEnvironment->id)
+        ->assertRedirect();
+
+    $this->applicationA->refresh();
+    expect($this->applicationA->environment_id)->toBe($secondEnvironment->id);
+});
+
+test('StandaloneDockerPolicy denies update for cross-team user', function () {
+    expect($this->userA->can('update', $this->destinationB))->toBeFalse();
+});
+
+test('StandaloneDockerPolicy allows update for same-team user', function () {
+    expect($this->userA->can('update', $this->destinationA))->toBeTrue();
+});