Update: 2026-05-04 01:46:58

2026-05-04 01:46:58 +03:00
parent 90f2f6f6e3
commit 08106ac4ea
3 changed files with 322 additions and 257 deletions
--- a/app/modules_app/invoices/index.php
+++ b/app/modules_app/invoices/index.php
@@ -0,0 +1,80 @@
+<?php
+/**
+ * Invoices List Endpoint (Role-Based & Tenant-Aware)
+ */
+
+use App\Core\Database;
+use App\Core\Encryption;
+use App\Middleware\AuthMiddleware;
+
+// 1. Auth Check
+$decoded = AuthMiddleware::check();
+$db = Database::getInstance();
+
+$tenantId = $decoded['tenant_id'];
+$userId = $decoded['user_id'];
+$role = $decoded['role'];
+
+try {
+    // 2. Build Query based on Role
+    if ($role === 'super_admin') {
+        // Super Admin sees ALL invoices
+        $stmt = $db->query("
+            SELECT i.*, t.name as tenant_name, c.name as company_name
+            FROM invoices i
+            LEFT JOIN tenants t ON i.tenant_id = t.id
+            LEFT JOIN companies c ON i.company_id = c.id
+            ORDER BY i.created_at DESC
+        ");
+    } elseif ($role === 'admin') {
+        // Admin sees all invoices in THEIR tenant
+        $stmt = $db->prepare("
+            SELECT i.*, c.name as company_name
+            FROM invoices i
+            LEFT JOIN companies c ON i.company_id = c.id
+            WHERE i.tenant_id = ?
+            ORDER BY i.created_at DESC
+        ");
+        $stmt->execute([$tenantId]);
+    } else {
+        // Accountant/Viewer: Filter by assigned companies
+        $stmtUser = $db->prepare("SELECT company_id FROM user_company_assignments WHERE user_id = ? AND is_active = 1");
+        $stmtUser->execute([$userId]);
+        $assignedCompanyIds = $stmtUser->fetchAll(PDO::FETCH_COLUMN);
+
+        if (empty($assignedCompanyIds)) {
+            json_success([]);
+        }
+
+        $placeholders = implode(',', array_fill(0, count($assignedCompanyIds), '?'));
+        $stmt = $db->prepare("
+            SELECT i.*, c.name as company_name
+            FROM invoices i
+            LEFT JOIN companies c ON i.company_id = c.id
+            WHERE i.company_id IN ($placeholders)
+            ORDER BY i.created_at DESC
+        ");
+        $stmt->execute($assignedCompanyIds);
+    }
+
+    $invoices = $stmt->fetchAll();
+
+    // 3. Decrypt sensitive fields for display
+    foreach ($invoices as &$inv) {
+        $inv['supplier_name'] = Encryption::decrypt($inv['supplier_name'] ?? '') ?: ($inv['supplier_name'] ?? '-');
+        $inv['supplier_tin'] = Encryption::decrypt($inv['supplier_tin'] ?? '') ?: ($inv['supplier_tin'] ?? '-');
+        $inv['buyer_name'] = Encryption::decrypt($inv['buyer_name'] ?? '') ?: ($inv['buyer_name'] ?? '-');
+        
+        if (!empty($inv['company_name'])) {
+            $inv['company_name'] = Encryption::decrypt($inv['company_name']) ?: $inv['company_name'];
+        }
+        if (!empty($inv['tenant_name'])) {
+            $inv['tenant_name'] = Encryption::decrypt($inv['tenant_name']) ?: $inv['tenant_name'];
+        }
+    }
+
+    json_success($invoices);
+
+} catch (\Exception $e) {
+    json_error('SQL Error in Invoices List: ' . $e->getMessage(), 500);
+}