User can create Invoices for different groups

[hbbh]

Love the idea of this library, thanks for making it available.

I hope I'm missing something but it looks like you can PUT and POST invoices within your own team using the storeMemberA user if you send the id and invoiceId properties?

it('should not create a teams invoice with id props', function() {
      return logInAs(user.username)
          .then(res => json('post', `/api/invoices?access_token=${res.body.id}`)
          .send({ storeId: 'A', name: 'A invoice', invoiceNumber: 123, id: 123 })
          .expect(401))
})

returns 200

Even worse it looks like you can do the same across teams if you include the same properties.

it('should not create another teams invoice with id props', function() {
   return logInAs(user.username)
        .then(res => json('post', `/api/invoices?access_token=${res.body.id}`)
        .send({ storeId: 'B', name: 'A invoice', invoiceNumber: 223, id: 223 })
        .expect(401))
})

it('should not create another teams invoice with id prop', function() {
     return logInAs(user.username)
        .then(res => json('put', `/api/invoices?access_token=${res.body.id}`)
        .send({
            id: 21234,
            storeId: 'B',
            invoiceNumber: 21234,
        })
        .expect(401))
}) 

both return 200

I've updated the rest-test.js file in this branch which highlight the issue here https://github.com/hbbh/loopback-component-access-groups/tree/test-create-upsert-permissions

It's probably my phat-hands, but it would be good to get another pair of eyes on it.