fix IDOR private projects

Author: Onatcer

app/Http/Controllers/Api/V1/ProjectController.php

@@ -78,7 +78,7 @@ public function index(Organization $organization, ProjectIndexRequest $request):
      */
     public function show(Organization $organization, Project $project): JsonResource
     {
-        $this->checkPermission($organization, 'projects:view', $project);
+        $this->checkPermission($organization, 'projects:view:all', $project);
 
         // Note: There is currently no need to check if a user is a member of the project,
         // since this is only relevant for users with the role "employee" and they can not access this endpoint.

tests/Unit/Endpoint/Api/V1/ProjectEndpointTest.php

@@ -281,6 +281,7 @@ public function test_show_endpoint_returns_project(): void
         // Arrange
         $data = $this->createUserWithPermission([
             'projects:view',
+            'projects:view:all',
         ]);
         $project = Project::factory()->forOrganization($data->organization)->create();
         Passport::actingAs($data->user);
@@ -293,6 +294,20 @@ public function test_show_endpoint_returns_project(): void
         $response->assertJsonPath('data.id', $project->getKey());
     }
 
+    public function test_show_endpoint_fails_if_employee_tries_to_access_private_project_that_they_are_not_a_member_of(): void
+    {
+        // Arrange
+        $data = $this->createUserWithRole(Role::Employee);
+        $privateProject = Project::factory()->forOrganization($data->organization)->isPrivate()->create();
+        Passport::actingAs($data->user);
+
+        // Act
+        $response = $this->getJson(route('api.v1.projects.show', [$data->organization->getKey(), $privateProject->getKey()]));
+
+        // Assert
+        $response->assertForbidden();
+    }
+
     public function test_store_endpoint_fails_if_user_has_no_permission_to_create_projects(): void
     {
         // Arrange