Insecure Direct Object Reference allows Crew Invite deletion

In this report, the hacker discovered an Insecure Direct Object Reference vulnerability in a service endpoint relating to Crews management that allowed unauthorized users to delete outstanding Crew invitations from arbitrary Crews to arbitrary Social Club users. To resolve this vulnerability, we implemented additional checks on the service-side to ensure that Crew Invites can only be deleted by either the user who initially sent the request, or an authorized member of the Crew in question.