Update: 2026-05-06 17:10:14

app/modules_app/companies/delete.php

@@ -4,9 +4,12 @@
  */
 
 use App\Core\Database;
+use App\Core\AuditLogger;
 use App\Middleware\AuthMiddleware;
+use App\Middleware\RoleMiddleware;
+use App\Middleware\CompanyAccessMiddleware;
 
-$decoded = AuthMiddleware::check();
+$decoded = RoleMiddleware::require(['super_admin', 'admin']);
 $db = Database::getInstance();
 
 $companyId = input('id');
@@ -28,12 +31,13 @@ if (!$company) {
     json_error('الشركة غير موجودة', 404);
 }
 
-if ($decoded['role'] === 'admin' && $company['tenant_id'] !== $decoded['tenant_id']) {
-    json_error('ليس لديك صلاحية لحذف هذه الشركة', 403);
-}
+// Verify tenant access (admin can only delete from their tenant)
+CompanyAccessMiddleware::check($companyId, $decoded);
 
 // Soft Delete
 $stmt = $db->prepare("UPDATE companies SET deleted_at = NOW() WHERE id = ?");
 $stmt->execute([$companyId]);
 
+AuditLogger::log('company.deleted', 'company', $companyId, null, null, $decoded);
+
 json_success(null, 'تم حذف الشركة بنجاح');