fix: prevent IDOR in application status update endpoint

Replace class-level queryset attribute with get_queryset() method that
scopes Application objects to the requesting admin's organization,
preventing regular admins from modifying applications belonging to
other organizations via pk enumeration.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

offer_backend/apps/applications/views.py

@@ -31,7 +31,12 @@ class ApplicationManageViewSet(viewsets.ReadOnlyModelViewSet):
 class ApplicationStatusUpdateView(generics.UpdateAPIView):
     serializer_class = ApplicationStatusSerializer
     permission_classes = [IsAdminOrSuperAdmin]
-    queryset = Application.objects.all()
+
+    def get_queryset(self):
+        user = self.request.user
+        if user.is_superadmin:
+            return Application.objects.all()
+        return Application.objects.filter(job__organization=user.organization)
 
     def perform_update(self, serializer):
         instance = serializer.save()