Update: 2026-05-03 22:35:31

app/modules_app/dashboard/stats.php

@@ -1,30 +1,46 @@
 <?php
 /**
- * Dashboard Stats Endpoint
+ * Dashboard Stats Endpoint (Role-Based & Tenant-Aware)
  */
 
 use App\Core\Database;
 use App\Middleware\AuthMiddleware;
 
 // 1. Auth Check
-AuthMiddleware::check();
-
+$decoded = AuthMiddleware::check();
 $db = Database::getInstance();
 
+$tenantId = $decoded['tenant_id'];
+$companyId = $decoded['company_id'] ?? null;
+$role = $decoded['role'];
+
 try {
+    // 2. Build Query based on Role
+    $where = "WHERE tenant_id = :tenant_id";
+    $params = [':tenant_id' => $tenantId];
+
+    // If accountant or employee restricted to a company
+    if (($role === 'accountant' || $role === 'viewer') && $companyId) {
+        $where .= " AND company_id = :company_id";
+        $params[':company_id'] = $companyId;
+    }
+
     // Total Invoices
-    $stmt = $db->query("SELECT COUNT(*) FROM invoices");
+    $stmt = $db->prepare("SELECT COUNT(*) FROM invoices $where");
+    $stmt->execute($params);
     $total = $stmt->fetchColumn();
 
     // Pending Invoices
-    $stmt = $db->query("SELECT COUNT(*) FROM invoices WHERE status = 'pending'");
+    $stmt = $db->prepare("SELECT COUNT(*) FROM invoices $where AND status = 'pending'");
+    $stmt->execute($params);
     $pending = $stmt->fetchColumn();
 
     // Approved Invoices
-    $stmt = $db->query("SELECT COUNT(*) FROM invoices WHERE status = 'approved'");
+    $stmt = $db->prepare("SELECT COUNT(*) FROM invoices $where AND status = 'approved'");
+    $stmt->execute($params);
     $approved = $stmt->fetchColumn();
+
 } catch (\Exception $e) {
-    // Fallback if table doesn't exist yet
     $total = 0;
     $pending = 0;
     $approved = 0;