Protect invoicing against unauthorized use

This could be optimised for performance but this was the simplest way
and we can work on it if performance becomes a problem.

app/controllers/spree/admin/invoices_controller.rb

@@ -11,6 +11,9 @@ module Spree
       end
 
       def create
+        Spree::Order.where(id: params[:order_ids]).find_each do |order|
+          authorize! :invoice, order
+        end
         invoice_service = BulkInvoiceService.new
         invoice_service.start_pdf_job(params[:order_ids])
 
@@ -19,6 +22,8 @@ module Spree
 
       def generate
         @order = Order.find_by(number: params[:order_id])
+        authorize! :invoice, @order
+
         @comparator = OrderInvoiceComparator.new(@order)
         if @comparator.can_generate_new_invoice?
           @order.invoices.create!(