Update: 2026-05-04 17:59:11

app/modules_app/invoices/view.php

@@ -7,51 +7,63 @@ use App\Core\Database;
 use App\Core\Encryption;
 use App\Middleware\AuthMiddleware;
 
-// 1. Auth Check
 $decoded = AuthMiddleware::check();
 $db = Database::getInstance();
 
-// 2. Validate Request
 $id = $_GET['id'] ?? null;
 if (!$id) json_error('Invoice ID is required', 422);
 
-// 3. Permission Check (Multi-Tenant Isolation)
 $tenantId = $decoded['tenant_id'];
+$role     = $decoded['role'];
 
 try {
-    $stmt = $db->prepare("
-        SELECT i.*, c.name as company_name 
-        FROM invoices i
-        JOIN companies c ON i.company_id = c.id
-        WHERE i.id = ? AND i.tenant_id = ?
-    ");
-    $stmt->execute([$id, $tenantId]);
-    $invoice = $stmt->fetch();
+    // 1. Fetch Invoice (Super Admin sees all, others are tenant-scoped)
+    if ($role === 'super_admin') {
+        $stmt = $db->prepare("
+            SELECT i.*, c.name as company_name
+            FROM invoices i
+            JOIN companies c ON i.company_id = c.id
+            WHERE i.id = ?
+        ");
+        $stmt->execute([$id]);
+    } else {
+        $stmt = $db->prepare("
+            SELECT i.*, c.name as company_name
+            FROM invoices i
+            JOIN companies c ON i.company_id = c.id
+            WHERE i.id = ? AND i.tenant_id = ?
+        ");
+        $stmt->execute([$id, $tenantId]);
+    }
 
+    $invoice = $stmt->fetch();
     if (!$invoice) json_error('Invoice not found or access denied', 404);
 
-    // 4. Fetch Line Items
+    // 2. Fetch Line Items
     $stmtLines = $db->prepare("SELECT * FROM invoice_lines WHERE invoice_id = ? ORDER BY line_number ASC");
     $stmtLines->execute([$id]);
     $invoice['items'] = $stmtLines->fetchAll();
 
-    // 5. Decrypt Fields (Robustly)
-    $decrypt = fn($val) => Encryption::decrypt($val ?? '') ?: $val;
+    // 3. Decrypt all encrypted fields — robust: if decryption fails, keep original value
+    $dec = function($val) {
+        if (empty($val)) return '';
+        $result = \App\Core\Encryption::decrypt((string)$val);
+        return ($result !== false && $result !== null && $result !== '') ? $result : (string)$val;
+    };
 
-    $invoice['supplier_tin'] = $decrypt($invoice['supplier_tin']);
-    $invoice['supplier_name'] = $decrypt($invoice['supplier_name']);
-    $invoice['supplier_address'] = $decrypt($invoice['supplier_address']);
-    $invoice['buyer_tin'] = $decrypt($invoice['buyer_tin']);
-    $invoice['buyer_name'] = $decrypt($invoice['buyer_name']);
-    $invoice['buyer_national_id'] = $decrypt($invoice['buyer_national_id']);
-    
-    if (!empty($invoice['company_name'])) {
-        $invoice['company_name'] = $decrypt($invoice['company_name']);
-    }
+    $invoice['supplier_tin']       = $dec($invoice['supplier_tin']);
+    $invoice['supplier_name']      = $dec($invoice['supplier_name']);
+    $invoice['supplier_address']   = $dec($invoice['supplier_address']);
+    $invoice['buyer_tin']          = $dec($invoice['buyer_tin']);
+    $invoice['buyer_name']         = $dec($invoice['buyer_name']);
+    $invoice['buyer_national_id']  = $dec($invoice['buyer_national_id']);
 
-    // 6. Fetch JoFotara Submission Data
+    // company_name is stored plaintext in the companies table — no decryption needed
+    // $invoice['company_name'] is already plaintext from the JOIN
+
+    // 4. Fetch JoFotara Submission Data (latest accepted submission)
     $stmtSub = $db->prepare("
-        SELECT jofotara_uuid, submitted_at, qr_code_raw, status as submission_status, response_body
+        SELECT jofotara_uuid, submitted_at, qr_code_raw, response_body
         FROM jofotara_submissions
         WHERE invoice_id = ? AND status = 'accepted'
         ORDER BY created_at DESC LIMIT 1
@@ -59,16 +71,21 @@ try {
     $stmtSub->execute([$id]);
     $submission = $stmtSub->fetch();
 
-    $invoice['jofotara'] = $submission ? [
-        'uuid'         => $submission['jofotara_uuid'],
-        'submitted_at' => $submission['submitted_at'],
-        'qr_image_uri' => $submission['qr_code_raw'] ? 'data:image/png;base64,' . $submission['qr_code_raw'] : null,
-        'has_xml'      => true
-    ] : null;
+    if ($submission) {
+        $invoice['jofotara'] = [
+            'uuid'         => $submission['jofotara_uuid'],
+            'submitted_at' => $submission['submitted_at'],
+            'qr_image_uri' => $submission['qr_code_raw']
+                ? 'data:image/png;base64,' . $submission['qr_code_raw']
+                : null,
+            'has_xml' => true,
+        ];
+    } else {
+        $invoice['jofotara'] = null;
+    }
 
-    // 7. Generate Public URL for File
-    $token = Encryption::encrypt($invoice['original_file_path']);
-    $invoice['file_url'] = '/index.php?route=v1/invoices/file&file_token=' . urlencode($token);
+    // 5. Build the secure file URL using the invoice ID (file.php fetches path from DB)
+    $invoice['file_url'] = '/index.php?route=v1/invoices/file&id=' . urlencode($id);
 
     json_success($invoice);