Refactored a bunch of shit

src/pages/api/invoices/[id]/status.ts

@@ -60,6 +60,13 @@ export const POST: APIRoute = async ({
     return new Response("Unauthorized", { status: 401 });
   }
 
+  // Destructive status changes require owner/admin
+  const destructiveStatuses = ["void"];
+  const isAdminOrOwner = membership.role === "owner" || membership.role === "admin";
+  if (destructiveStatuses.includes(status) && !isAdminOrOwner) {
+    return new Response("Only owners and admins can void invoices", { status: 403 });
+  }
+
   try {
     await db
       .update(invoices)