From 87d6b8b1c029febd60afc367efd067eae4c1e462 Mon Sep 17 00:00:00 2001
From: Hamza-Ayed <hamzaayedflutter@gmail.com>
Date: Mon, 4 May 2026 01:55:05 +0300
Subject: [PATCH] Update: 2026-05-04 01:55:05

---
 app/modules_app/invoices/upload.php | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/app/modules_app/invoices/upload.php b/app/modules_app/invoices/upload.php
index dce4a39..c358061 100644
--- a/app/modules_app/invoices/upload.php
+++ b/app/modules_app/invoices/upload.php
@@ -26,14 +26,12 @@ if (!$companyId || !isset($_FILES['invoice'])) {
 $tenantId = $decoded['tenant_id'];
 $userId = $decoded['user_id'];
 
-// Everyone (except Super Admin who shouldn't upload here) must belong to the tenant
-// And if they are NOT an admin, they must be assigned to this company
-if ($decoded['role'] !== 'admin' && $decoded['role'] !== 'super_admin') {
-    $stmt = $db->prepare("SELECT id FROM user_company_assignments WHERE user_id = ? AND company_id = ? AND is_active = 1");
-    $stmt->execute([$userId, $companyId]);
-    if (!$stmt->fetch()) {
-        json_error('Access denied to this company', 403);
-    }
+// Everyone (except Super Admin) must belong to the same tenant as the company
+$stmt = $db->prepare("SELECT id FROM companies WHERE id = ? AND tenant_id = ? AND deleted_at IS NULL");
+$stmt->execute([$companyId, $tenantId]);
+
+if (!$stmt->fetch()) {
+    json_error('Access denied to this company or invalid company ID', 403);
 }
 
 // 4. Handle File Upload