Hamza/musadaq-saas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update: 2026-05-04 01:55:05

Browse Source
This commit is contained in:
Hamza-Ayed
2026-05-04 01:55:05 +03:00
parent 282f33ca3a
commit 87d6b8b1c0
1 changed files with 6 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app/modules_app/invoices/upload.php
View File

@@ -26,14 +26,12 @@ if (!$companyId || !isset($_FILES['invoice'])) {
$tenantId = $decoded['tenant_id']; $tenantId = $decoded['tenant_id'];
$userId = $decoded['user_id']; $userId = $decoded['user_id'];
// Everyone (except Super Admin who shouldn't upload here) must belong to the tenant // Everyone (except Super Admin) must belong to the same tenant as the company
// And if they are NOT an admin, they must be assigned to this company $stmt = $db->prepare("SELECT id FROM companies WHERE id = ? AND tenant_id = ? AND deleted_at IS NULL");
if ($decoded['role'] !== 'admin' && $decoded['role'] !== 'super_admin') { $stmt->execute([$companyId, $tenantId]);
$stmt = $db->prepare("SELECT id FROM user_company_assignments WHERE user_id = ? AND company_id = ? AND is_active = 1");
$stmt->execute([$userId, $companyId]); if (!$stmt->fetch()) {
if (!$stmt->fetch()) { json_error('Access denied to this company or invalid company ID', 403);
json_error('Access denied to this company', 403);
}
} }
// 4. Handle File Upload // 4. Handle File Upload