Update: 2026-05-06 17:10:14

app/modules_app/invoices/approve.php

@@ -5,9 +5,13 @@
 
 use App\Core\Database;
 use App\Core\JoFotara;
+use App\Core\AuditLogger;
 use App\Middleware\AuthMiddleware;
+use App\Middleware\RoleMiddleware;
+use App\Middleware\CompanyAccessMiddleware;
 
-$decoded = AuthMiddleware::check();
+// Only admin, accountant, and super_admin can approve. Viewers cannot.
+$decoded = RoleMiddleware::require(['super_admin', 'admin', 'accountant']);
 $db = Database::getInstance();
 
 $data = json_decode(file_get_contents('php://input'), true);
@@ -111,6 +115,14 @@ try {
         'is_api_success' => $apiResponse['success']
     ]);
 
+    AuditLogger::log('invoice.approved', 'invoice', $id, [
+        'old_status' => $invoice['status'],
+    ], [
+        'new_status' => 'approved',
+        'jofotara_uuid' => $apiResponse['uuid'] ?? null,
+        'api_success' => $apiResponse['success'],
+    ], $decoded);
+
 } catch (\Exception $e) {
     if ($db->inTransaction()) $db->rollBack();
     error_log("JoFotara Approve Error: " . $e->getMessage());