Update: 2026-05-06 17:10:14

app/modules_app/companies/create.php

@@ -6,12 +6,11 @@
 use App\Core\Database;
 use App\Core\Encryption;
 use App\Core\Validator;
+use App\Core\AuditLogger;
 use App\Middleware\AuthMiddleware;
+use App\Middleware\RoleMiddleware;
 
-$decoded = AuthMiddleware::check();
-if ($decoded['role'] !== 'super_admin' && $decoded['role'] !== 'admin') {
-    json_error('Unauthorized', 403);
-}
+$decoded = RoleMiddleware::require(['super_admin', 'admin']);
 
 $data = input();
 
@@ -80,6 +79,12 @@ try {
     ]);
     
     $db->commit();
+
+    AuditLogger::log('company.created', 'company', null, null, [
+        'name' => $data['name'],
+        'tin'  => $data['tax_identification_number'],
+    ], $decoded);
+
     json_success(null, 'تم إنشاء الشركة بنجاح');
 
 } catch (\Exception $e) {

app/modules_app/companies/delete.php

@@ -4,9 +4,12 @@
  */
 
 use App\Core\Database;
+use App\Core\AuditLogger;
 use App\Middleware\AuthMiddleware;
+use App\Middleware\RoleMiddleware;
+use App\Middleware\CompanyAccessMiddleware;
 
-$decoded = AuthMiddleware::check();
+$decoded = RoleMiddleware::require(['super_admin', 'admin']);
 $db = Database::getInstance();
 
 $companyId = input('id');
@@ -28,12 +31,13 @@ if (!$company) {
     json_error('الشركة غير موجودة', 404);
 }
 
-if ($decoded['role'] === 'admin' && $company['tenant_id'] !== $decoded['tenant_id']) {
-    json_error('ليس لديك صلاحية لحذف هذه الشركة', 403);
-}
+// Verify tenant access (admin can only delete from their tenant)
+CompanyAccessMiddleware::check($companyId, $decoded);
 
 // Soft Delete
 $stmt = $db->prepare("UPDATE companies SET deleted_at = NOW() WHERE id = ?");
 $stmt->execute([$companyId]);
 
+AuditLogger::log('company.deleted', 'company', $companyId, null, null, $decoded);
+
 json_success(null, 'تم حذف الشركة بنجاح');