Update: 2026-05-06 17:10:14

2026-05-06 17:10:14 +03:00
parent a9a2c65bee
commit 019bff7e37
16 changed files with 788 additions and 68 deletions
--- a/app/Core/AuditLogger.php
+++ b/app/Core/AuditLogger.php
@@ -0,0 +1,63 @@
+<?php
+/**
+ * Audit Logger — Records all important actions for compliance and debugging.
+ * 
+ * Usage:
+ *   AuditLogger::log('invoice.approved', 'invoice', $invoiceId, $oldData, $newData, $decoded);
+ *   AuditLogger::log('user.login', 'user', $userId, decoded: $decoded);
+ */
+
+declare(strict_types=1);
+
+namespace App\Core;
+
+final class AuditLogger
+{
+    /**
+     * Log an audit event.
+     *
+     * @param string      $action     e.g. 'invoice.approved', 'user.created', 'company.deleted'
+     * @param string|null $entityType e.g. 'invoice', 'user', 'company'
+     * @param string|null $entityId   UUID of the affected entity
+     * @param array|null  $oldData    Previous state (for updates/deletes)
+     * @param array|null  $newData    New state (for creates/updates)
+     * @param array|null  $decoded    JWT decoded payload (to extract user_id, tenant_id)
+     */
+    public static function log(
+        string  $action,
+        ?string $entityType = null,
+        ?string $entityId = null,
+        ?array  $oldData = null,
+        ?array  $newData = null,
+        ?array  $decoded = null
+    ): void {
+        try {
+            $db = Database::getInstance();
+
+            $tenantId  = $decoded['tenant_id'] ?? null;
+            $userId    = $decoded['user_id'] ?? null;
+            $ipAddress = $_SERVER['REMOTE_ADDR'] ?? null;
+            $userAgent = substr($_SERVER['HTTP_USER_AGENT'] ?? '', 0, 500);
+
+            $stmt = $db->prepare("
+                INSERT INTO audit_logs (id, tenant_id, user_id, action, entity_type, entity_id, old_data, new_data, ip_address, user_agent)
+                VALUES (UUID(), ?, ?, ?, ?, ?, ?, ?, ?, ?)
+            ");
+
+            $stmt->execute([
+                $tenantId,
+                $userId,
+                $action,
+                $entityType,
+                $entityId,
+                $oldData ? json_encode($oldData, JSON_UNESCAPED_UNICODE) : null,
+                $newData ? json_encode($newData, JSON_UNESCAPED_UNICODE) : null,
+                $ipAddress,
+                $userAgent,
+            ]);
+        } catch (\Exception $e) {
+            // Audit logging should NEVER crash the main request
+            error_log("[AuditLogger] Failed to log action '{$action}': " . $e->getMessage());
+        }
+    }
+}
--- a/app/Middleware/CompanyAccessMiddleware.php
+++ b/app/Middleware/CompanyAccessMiddleware.php
@@ -0,0 +1,104 @@
+<?php
+/**
+ * Company Access Middleware
+ * 
+ * Ensures that the current user has access to the requested company.
+ * - super_admin: access to ALL companies across ALL tenants
+ * - admin: access to ALL companies within their tenant
+ * - accountant: access ONLY to their assigned company (users.company_id)
+ * - viewer: access ONLY to their assigned company (read-only)
+ * 
+ * Usage:
+ *   $decoded = AuthMiddleware::check();
+ *   CompanyAccessMiddleware::check($companyId, $decoded);
+ */
+
+declare(strict_types=1);
+
+namespace App\Middleware;
+
+use App\Core\Database;
+
+final class CompanyAccessMiddleware
+{
+    /**
+     * Check if the user can access the given company.
+     * Halts with 403 if access is denied.
+     */
+    public static function check(string $companyId, array $decoded): void
+    {
+        $role = $decoded['role'] ?? '';
+        $tenantId = $decoded['tenant_id'] ?? '';
+        $userId = $decoded['user_id'] ?? '';
+
+        // super_admin can access everything
+        if ($role === 'super_admin') {
+            return;
+        }
+
+        $db = Database::getInstance();
+
+        // 1. Verify the company belongs to the user's tenant
+        $stmt = $db->prepare("SELECT id, tenant_id FROM companies WHERE id = ? LIMIT 1");
+        $stmt->execute([$companyId]);
+        $company = $stmt->fetch();
+
+        if (!$company) {
+            json_error('الشركة غير موجودة', 404);
+        }
+
+        if ($company['tenant_id'] !== $tenantId) {
+            // Company exists but belongs to a different tenant — treat as 404 (don't leak info)
+            json_error('الشركة غير موجودة', 404);
+        }
+
+        // 2. admin can access all companies in their tenant
+        if ($role === 'admin') {
+            return;
+        }
+
+        // 3. accountant / viewer — must be assigned to this specific company
+        $stmt = $db->prepare("SELECT company_id FROM users WHERE id = ? AND tenant_id = ? LIMIT 1");
+        $stmt->execute([$userId, $tenantId]);
+        $user = $stmt->fetch();
+
+        if (!$user || $user['company_id'] !== $companyId) {
+            http_response_code(403);
+            header('Content-Type: application/json');
+            echo json_encode([
+                'success' => false,
+                'message' => 'ليس لديك صلاحية للوصول إلى هذه الشركة',
+                'code'    => 'COMPANY_ACCESS_DENIED',
+            ], JSON_UNESCAPED_UNICODE);
+            exit;
+        }
+    }
+
+    /**
+     * Get the list of company IDs that the user can access.
+     * Useful for listing/filtering queries.
+     */
+    public static function getAccessibleCompanyIds(array $decoded): ?array
+    {
+        $role = $decoded['role'] ?? '';
+        $tenantId = $decoded['tenant_id'] ?? '';
+        $userId = $decoded['user_id'] ?? '';
+
+        // super_admin & admin: null means "no filter" (access all)
+        if ($role === 'super_admin' || $role === 'admin') {
+            return null;
+        }
+
+        // accountant / viewer: only their assigned company
+        $db = Database::getInstance();
+        $stmt = $db->prepare("SELECT company_id FROM users WHERE id = ? AND tenant_id = ? LIMIT 1");
+        $stmt->execute([$userId, $tenantId]);
+        $user = $stmt->fetch();
+
+        if ($user && $user['company_id']) {
+            return [$user['company_id']];
+        }
+
+        return []; // No access to any company
+    }
+}
--- a/app/Middleware/RoleMiddleware.php
+++ b/app/Middleware/RoleMiddleware.php
@@ -0,0 +1,97 @@
+<?php
+/**
+ * Role-Based Access Control (RBAC) Middleware
+ * 
+ * Enforces role-based permissions on API endpoints.
+ * Must be called AFTER AuthMiddleware::check().
+ * 
+ * Usage:
+ *   RoleMiddleware::require(['admin', 'super_admin']);
+ *   RoleMiddleware::requireAny(['admin', 'accountant', 'super_admin']);
+ *   RoleMiddleware::denyRole('viewer');
+ */
+
+declare(strict_types=1);
+
+namespace App\Middleware;
+
+final class RoleMiddleware
+{
+    /**
+     * Require the user to have ONE of the specified roles.
+     * Halts execution with 403 if the user doesn't have any of them.
+     */
+    public static function require(array $allowedRoles, ?array $decoded = null): array
+    {
+        if (!$decoded) {
+            $decoded = AuthMiddleware::check();
+        }
+
+        $userRole = $decoded['role'] ?? '';
+
+        if (!in_array($userRole, $allowedRoles, true)) {
+            http_response_code(403);
+            header('Content-Type: application/json');
+            echo json_encode([
+                'success' => false,
+                'message' => 'ليس لديك صلاحية للوصول إلى هذا المورد',
+                'code'    => 'FORBIDDEN',
+                'required_roles' => $allowedRoles,
+                'your_role'      => $userRole,
+            ], JSON_UNESCAPED_UNICODE);
+            exit;
+        }
+
+        return $decoded;
+    }
+
+    /**
+     * Deny access to specific roles (blacklist approach).
+     */
+    public static function deny(array $deniedRoles, ?array $decoded = null): array
+    {
+        if (!$decoded) {
+            $decoded = AuthMiddleware::check();
+        }
+
+        $userRole = $decoded['role'] ?? '';
+
+        if (in_array($userRole, $deniedRoles, true)) {
+            http_response_code(403);
+            header('Content-Type: application/json');
+            echo json_encode([
+                'success' => false,
+                'message' => 'ليس لديك صلاحية للوصول إلى هذا المورد',
+                'code'    => 'FORBIDDEN',
+            ], JSON_UNESCAPED_UNICODE);
+            exit;
+        }
+
+        return $decoded;
+    }
+
+    /**
+     * Check if the current user is a super_admin.
+     */
+    public static function isSuperAdmin(array $decoded): bool
+    {
+        return ($decoded['role'] ?? '') === 'super_admin';
+    }
+
+    /**
+     * Check if the current user is an admin or super_admin.
+     */
+    public static function isAdmin(array $decoded): bool
+    {
+        return in_array($decoded['role'] ?? '', ['admin', 'super_admin'], true);
+    }
+
+    /**
+     * Check if the current user can write (create/update/delete).
+     * Viewers are read-only.
+     */
+    public static function canWrite(array $decoded): bool
+    {
+        return in_array($decoded['role'] ?? '', ['super_admin', 'admin', 'accountant'], true);
+    }
+}
--- a/app/modules_app/companies/create.php
+++ b/app/modules_app/companies/create.php
@@ -6,12 +6,11 @@
 use App\Core\Database;
 use App\Core\Encryption;
 use App\Core\Validator;
+use App\Core\AuditLogger;
 use App\Middleware\AuthMiddleware;
+use App\Middleware\RoleMiddleware;

-$decoded = AuthMiddleware::check();
-if ($decoded['role'] !== 'super_admin' && $decoded['role'] !== 'admin') {
-    json_error('Unauthorized', 403);
-}
+$decoded = RoleMiddleware::require(['super_admin', 'admin']);

 $data = input();

@@ -80,6 +79,12 @@ try {
    ]);
    
    $db->commit();
+
+    AuditLogger::log('company.created', 'company', null, null, [
+        'name' => $data['name'],
+        'tin'  => $data['tax_identification_number'],
+    ], $decoded);
+
    json_success(null, 'تم إنشاء الشركة بنجاح');

 } catch (\Exception $e) {
--- a/app/modules_app/companies/delete.php
+++ b/app/modules_app/companies/delete.php
@@ -4,9 +4,12 @@
 */

 use App\Core\Database;
+use App\Core\AuditLogger;
 use App\Middleware\AuthMiddleware;
+use App\Middleware\RoleMiddleware;
+use App\Middleware\CompanyAccessMiddleware;

-$decoded = AuthMiddleware::check();
+$decoded = RoleMiddleware::require(['super_admin', 'admin']);
 $db = Database::getInstance();

 $companyId = input('id');
@@ -28,12 +31,13 @@ if (!$company) {
    json_error('الشركة غير موجودة', 404);
 }

-if ($decoded['role'] === 'admin' && $company['tenant_id'] !== $decoded['tenant_id']) {
-    json_error('ليس لديك صلاحية لحذف هذه الشركة', 403);
-}
+// Verify tenant access (admin can only delete from their tenant)
+CompanyAccessMiddleware::check($companyId, $decoded);

 // Soft Delete
 $stmt = $db->prepare("UPDATE companies SET deleted_at = NOW() WHERE id = ?");
 $stmt->execute([$companyId]);

+AuditLogger::log('company.deleted', 'company', $companyId, null, null, $decoded);
+
 json_success(null, 'تم حذف الشركة بنجاح');
--- a/app/modules_app/dashboard/recent_activity.php
+++ b/app/modules_app/dashboard/recent_activity.php
@@ -0,0 +1,42 @@
+<?php
+/**
+ * Dashboard Recent Activity Endpoint
+ */
+
+declare(strict_types=1);
+
+use App\Core\Database;
+use App\Middleware\AuthMiddleware;
+
+$decoded = AuthMiddleware::check();
+$db = Database::getInstance();
+
+$tenantId = $decoded['tenant_id'] ?? null;
+$role = $decoded['role'];
+
+try {
+    if ($role === 'super_admin') {
+        $where = "WHERE 1=1";
+        $params = [];
+    } else {
+        $where = "WHERE tenant_id = ?";
+        $params = [$tenantId];
+    }
+
+    // Join with users table to get the name of the person who did the action
+    $stmt = $db->prepare("
+        SELECT a.id, a.action, a.entity_type, a.created_at, u.name as user_name
+        FROM audit_logs a
+        LEFT JOIN users u ON a.user_id = u.id
+        $where
+        ORDER BY a.created_at DESC
+        LIMIT 20
+    ");
+    $stmt->execute($params);
+    $activities = $stmt->fetchAll();
+
+    json_success($activities);
+
+} catch (\Exception $e) {
+    json_error('Failed to fetch recent activity', 500);
+}
--- a/app/modules_app/dashboard/stats.php
+++ b/app/modules_app/dashboard/stats.php
@@ -15,38 +15,67 @@ $companyId = $decoded['company_id'] ?? null;
 $role = $decoded['role'];

 try {
-    // 2. Apply Filters based on Role
+    $stats = [
+        'role' => $role,
+        'invoices' => [
+            'total' => 0,
+            'pending' => 0,
+            'approved' => 0
+        ]
+    ];
+
+    // 2. Fetch Invoice Stats
    if ($role === 'super_admin') {
-        // No filters - see everything
        $where = "WHERE 1=1";
        $params = [];
+    } elseif ($role === 'accountant' || $role === 'viewer') {
+        $where = "WHERE tenant_id = ? AND company_id = ?";
+        $params = [$tenantId, $companyId];
    } else {
-        // Tenant Users (Admin, Accountant, Employee): Filter by Tenant
+        // admin
        $where = "WHERE tenant_id = ?";
        $params = [$tenantId];
    }

-    // 3. Fetch Stats
    $stmt = $db->prepare("SELECT COUNT(*) FROM invoices $where");
    $stmt->execute($params);
-    $total = $stmt->fetchColumn();
+    $stats['invoices']['total'] = (int)$stmt->fetchColumn();

    $stmt = $db->prepare("SELECT COUNT(*) FROM invoices $where AND status = 'extracted'");
    $stmt->execute($params);
-    $pending = $stmt->fetchColumn();
+    $stats['invoices']['pending'] = (int)$stmt->fetchColumn();

    $stmt = $db->prepare("SELECT COUNT(*) FROM invoices $where AND status = 'approved'");
    $stmt->execute($params);
-    $approved = $stmt->fetchColumn();
+    $stats['invoices']['approved'] = (int)$stmt->fetchColumn();
+
+    // 3. Role-Specific Extra Stats
+    if ($role === 'super_admin') {
+        $stats['tenants'] = (int)$db->query("SELECT COUNT(*) FROM tenants")->fetchColumn();
+        $stats['total_users'] = (int)$db->query("SELECT COUNT(*) FROM users")->fetchColumn();
+    } elseif ($role === 'admin') {
+        $stmt = $db->prepare("SELECT COUNT(*) FROM companies WHERE tenant_id = ?");
+        $stmt->execute([$tenantId]);
+        $stats['companies'] = (int)$stmt->fetchColumn();
+
+        $stmt = $db->prepare("SELECT COUNT(*) FROM users WHERE tenant_id = ?");
+        $stmt->execute([$tenantId]);
+        $stats['users'] = (int)$stmt->fetchColumn();
+
+        // Get Subscription Quota
+        $stmt = $db->prepare("SELECT max_invoices_per_month, invoices_used_this_month FROM subscriptions WHERE tenant_id = ?");
+        $stmt->execute([$tenantId]);
+        $sub = $stmt->fetch();
+        if ($sub) {
+            $stats['subscription'] = [
+                'limit' => (int)$sub['max_invoices_per_month'],
+                'used'  => (int)$sub['invoices_used_this_month']
+            ];
+        }
+    }

 } catch (\Exception $e) {
-    $total = 0;
-    $pending = 0;
-    $approved = 0;
+    // Return default zeroed stats on error
 }

-json_success([
-    'total' => $total,
-    'pending' => $pending,
-    'approved' => $approved
-]);
+json_success($stats);
--- a/app/modules_app/invoices/approve.php
+++ b/app/modules_app/invoices/approve.php
@@ -5,9 +5,13 @@

 use App\Core\Database;
 use App\Core\JoFotara;
+use App\Core\AuditLogger;
 use App\Middleware\AuthMiddleware;
+use App\Middleware\RoleMiddleware;
+use App\Middleware\CompanyAccessMiddleware;

-$decoded = AuthMiddleware::check();
+// Only admin, accountant, and super_admin can approve. Viewers cannot.
+$decoded = RoleMiddleware::require(['super_admin', 'admin', 'accountant']);
 $db = Database::getInstance();

 $data = json_decode(file_get_contents('php://input'), true);
@@ -111,6 +115,14 @@ try {
        'is_api_success' => $apiResponse['success']
    ]);

+    AuditLogger::log('invoice.approved', 'invoice', $id, [
+        'old_status' => $invoice['status'],
+    ], [
+        'new_status' => 'approved',
+        'jofotara_uuid' => $apiResponse['uuid'] ?? null,
+        'api_success' => $apiResponse['success'],
+    ], $decoded);
+
 } catch (\Exception $e) {
    if ($db->inTransaction()) $db->rollBack();
    error_log("JoFotara Approve Error: " . $e->getMessage());
--- a/app/modules_app/users/create.php
+++ b/app/modules_app/users/create.php
@@ -6,13 +6,12 @@
 use App\Core\Database;
 use App\Core\Encryption;
 use App\Core\Validator;
+use App\Core\AuditLogger;
 use App\Middleware\AuthMiddleware;
+use App\Middleware\RoleMiddleware;

-// 1. Auth Check (Only super_admin or admin can create users)
-$decoded = AuthMiddleware::check();
-if ($decoded['role'] !== 'super_admin' && $decoded['role'] !== 'admin') {
-    json_error('Unauthorized', 403);
-}
+// 1. Auth + Role Check (Only super_admin or admin can create users)
+$decoded = RoleMiddleware::require(['super_admin', 'admin']);

 $data = input();

@@ -76,6 +75,12 @@ try {
    ]);

    json_success(null, 'تم إضافة المستخدم بنجاح');
+
+    AuditLogger::log('user.created', 'user', null, null, [
+        'name'  => $data['name'],
+        'email' => $data['email'],
+        'role'  => $data['role'],
+    ], $decoded);
 } catch (\Exception $e) {
    if (str_contains($e->getMessage(), 'Duplicate entry')) {
        json_error('البريد الإلكتروني مسجل مسبقاً', 409);
--- a/app/modules_app/users/delete.php
+++ b/app/modules_app/users/delete.php
@@ -4,10 +4,12 @@
 */

 use App\Core\Database;
+use App\Core\AuditLogger;
 use App\Middleware\AuthMiddleware;
+use App\Middleware\RoleMiddleware;

-// 1. Auth Check
-$decoded = AuthMiddleware::check();
+// 1. Auth + Role Check
+$decoded = RoleMiddleware::require(['super_admin', 'admin']);
 $db = Database::getInstance();

 $currentUserId = $decoded['user_id'];
@@ -52,4 +54,8 @@ if ($currentUserRole === 'super_admin') {
 $stmt = $db->prepare("UPDATE users SET deleted_at = NOW(), is_active = 0 WHERE id = ?");
 $stmt->execute([$targetUserId]);

+AuditLogger::log('user.deleted', 'user', $targetUserId, [
+    'role' => $targetUser['role'],
+], null, $decoded);
+
 json_success(null, 'تم حذف المستخدم بنجاح');