diff --git a/app/core/AI.php b/app/core/AI.php new file mode 100644 index 0000000..e345dc6 --- /dev/null +++ b/app/core/AI.php @@ -0,0 +1,103 @@ + [ + [ + "parts" => [ + ["text" => $prompt], + [ + "inline_data" => [ + "mime_type" => $mimeType, + "data" => $base64Data + ] + ] + ] + ] + ], + "generationConfig" => [ + "response_mime_type" => "application/json" + ] + ]; + + $ch = curl_init(self::$baseUrl . "?key=" . $apiKey); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); + curl_setopt($ch, CURLOPT_POST, true); + curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload)); + curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']); + + $response = curl_exec($ch); + $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); + curl_close($ch); + + if ($httpCode !== 200) { + error_log("AI Error: Gemini API returned code $httpCode. Response: " . $response); + return null; + } + + $result = json_decode($response, true); + $textResponse = $result['candidates'][0]['content']['parts'][0]['text'] ?? null; + + if (!$textResponse) return null; + + return json_decode($textResponse, true); + } +} diff --git a/app/modules_app/invoices/upload.php b/app/modules_app/invoices/upload.php index 4cf6e23..1f80cbb 100644 --- a/app/modules_app/invoices/upload.php +++ b/app/modules_app/invoices/upload.php @@ -15,58 +15,107 @@ if (!in_array($decoded['role'], $allowedRoles)) { json_error('Unauthorized to upload invoices', 403); } -// 2. Validate Request -$companyId = $_POST['company_id'] ?? null; -if (!$companyId || !isset($_FILES['invoice'])) { - json_error('Company ID and invoice file are required', 422); -} - -// 3. Permission Check (Can this user upload to this company?) +// 3. Permission Check $tenantId = $decoded['tenant_id']; $userId = $decoded['user_id']; -if ($decoded['role'] === 'admin') { - $stmt = $db->prepare("SELECT id FROM companies WHERE id = ? AND tenant_id = ? AND deleted_at IS NULL"); - $stmt->execute([$companyId, $tenantId]); -} elseif ($decoded['role'] === 'accountant') { - $stmt = $db->prepare(" - SELECT c.id FROM companies c - JOIN user_company_assignments uca ON c.id = uca.company_id - WHERE c.id = ? AND uca.user_id = ? AND uca.is_active = 1 - "); - $stmt->execute([$companyId, $userId]); -} else { // employee - // In our schema, employee is linked via users.company_id - $stmt = $db->prepare("SELECT id FROM users WHERE id = ? AND company_id = ?"); +// Everyone (except Super Admin who shouldn't upload here) must belong to the tenant +// And if they are NOT an admin, they must be assigned to this company +if ($decoded['role'] !== 'admin' && $decoded['role'] !== 'super_admin') { + $stmt = $db->prepare("SELECT id FROM user_company_assignments WHERE user_id = ? AND company_id = ? AND is_active = 1"); $stmt->execute([$userId, $companyId]); + if (!$stmt->fetch()) { + json_error('Access denied to this company', 403); + } } -if (!$stmt->fetch()) { - json_error('Access denied to this company', 403); -} +// 4. Handle File Upload +$dateFolder = date('Y-m-d'); +$uploadDir = STORAGE_PATH . '/invoices/' . $tenantId . '/' . $companyId . '/' . $dateFolder . '/'; +if (!is_dir($uploadDir)) mkdir($uploadDir, 0775, true); -// 4. Handle File Upload (Mock logic for now, using storage/invoices) -$uploadDir = __DIR__ . '/../../../storage/invoices/' . $tenantId . '/' . $companyId . '/'; -if (!is_dir($uploadDir)) mkdir($uploadDir, 0755, true); - -$fileName = time() . '_' . basename($_FILES['invoice']['name']); +$extension = pathinfo($_FILES['invoice']['name'], PATHINFO_EXTENSION); +$fileName = bin2hex(random_bytes(8)) . '_' . time() . '.' . $extension; $targetFile = $uploadDir . $fileName; if (move_uploaded_file($_FILES['invoice']['tmp_name'], $targetFile)) { - // 5. Save to DB - $stmt = $db->prepare(" - INSERT INTO invoices ( - tenant_id, company_id, status, uploaded_by, original_file_path, created_at - ) VALUES (?, ?, 'uploaded', ?, ?, NOW()) - "); - $stmt->execute([ - $tenantId, - $companyId, - $userId, - $targetFile - ]); + + // 5. Run AI Extraction + $mimeType = $_FILES['invoice']['type']; + $base64Data = base64_encode(file_get_contents($targetFile)); + + $extracted = \App\Core\AI::extractInvoiceData($base64Data, $mimeType); + + if (!$extracted) { + // Still save basic record if AI fails + $stmt = $db->prepare("INSERT INTO invoices (tenant_id, company_id, uploaded_by, original_file_path, status, created_at) VALUES (?, ?, ?, ?, 'uploaded', NOW())"); + $stmt->execute([$tenantId, $companyId, $userId, $targetFile]); + json_success(['id' => $db->lastInsertId()], 'تم رفع الفاتورة ولكن فشل استخراج البيانات تلقائياً'); + } - json_success(['id' => $db->lastInsertId()], 'تم رفع الفاتورة بنجاح وبدأت عملية المعالجة'); + // 6. Save Extracted Data with Encryption + try { + $db->beginTransaction(); + + $stmt = $db->prepare(" + INSERT INTO invoices ( + tenant_id, company_id, uploaded_by, original_file_path, status, + invoice_number, invoice_date, invoice_type, invoice_category, + supplier_tin, supplier_name, supplier_address, + buyer_tin, buyer_name, buyer_national_id, + subtotal, tax_amount, discount_total, grand_total, currency_code, + created_at + ) VALUES (?, ?, ?, ?, 'extracted', ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW()) + "); + + $stmt->execute([ + $tenantId, $companyId, $userId, $targetFile, + $extracted['invoice_number'] ?? null, + $extracted['invoice_date'] ?? null, + $extracted['invoice_type'] ?? 'cash', + $extracted['invoice_category'] ?? 'simplified', + // Encrypt sensitive details + \App\Core\Encryption::encrypt($extracted['supplier_tin'] ?? ''), + \App\Core\Encryption::encrypt($extracted['supplier_name'] ?? ''), + \App\Core\Encryption::encrypt($extracted['supplier_address'] ?? ''), + \App\Core\Encryption::encrypt($extracted['buyer_tin'] ?? ''), + \App\Core\Encryption::encrypt($extracted['buyer_name'] ?? ''), + \App\Core\Encryption::encrypt($extracted['buyer_national_id'] ?? ''), + $extracted['subtotal'] ?? 0, + $extracted['tax_amount'] ?? 0, + $extracted['discount_total'] ?? 0, + $extracted['grand_total'] ?? 0, + $extracted['currency'] ?? 'JOD' + ]); + + $invoiceId = $db->lastInsertId(); + + // Save Line Items (No encryption for lines for now, usually not sensitive but can be) + if (!empty($extracted['items'])) { + $lineStmt = $db->prepare(" + INSERT INTO invoice_lines (invoice_id, description, quantity, unit_price, tax_amount, total) + VALUES (?, ?, ?, ?, ?, ?) + "); + foreach ($extracted['items'] as $item) { + $lineStmt->execute([ + $invoiceId, + $item['description'] ?? 'N/A', + $item['quantity'] ?? 1, + $item['unit_price'] ?? 0, + $item['tax_amount'] ?? 0, + $item['total'] ?? 0 + ]); + } + } + + $db->commit(); + json_success(['id' => $invoiceId], 'تم رفع الفاتورة واستخراج البيانات بنجاح'); + + } catch (\Exception $e) { + $db->rollBack(); + error_log("DB Error during invoice save: " . $e->getMessage()); + json_error('حدث خطأ أثناء حفظ بيانات الفاتورة', 500); + } } else { json_error('Failed to save uploaded file', 500); } diff --git a/app/modules_app/users/create.php b/app/modules_app/users/create.php index e973b1b..7bca1ee 100644 --- a/app/modules_app/users/create.php +++ b/app/modules_app/users/create.php @@ -19,7 +19,7 @@ $data = input(); // 1. Role Authorization check (Prevent Role Escalation) $allowedRoles = match($decoded['role']) { 'super_admin' => ['super_admin', 'admin', 'accountant', 'employee', 'viewer'], - 'admin' => ['accountant', 'employee', 'viewer'], + 'admin' => ['accountant', 'employee', 'viewer'], // Cannot create other admins default => [] }; diff --git a/app/modules_app/users/delete.php b/app/modules_app/users/delete.php new file mode 100644 index 0000000..871dc8d --- /dev/null +++ b/app/modules_app/users/delete.php @@ -0,0 +1,55 @@ +prepare("SELECT * FROM users WHERE id = ?"); +$stmt->execute([$targetUserId]); +$targetUser = $stmt->fetch(); + +if (!$targetUser) { + json_error('المستخدم غير موجود', 404); +} + +// 4. Role-based Authorization +if ($currentUserRole === 'super_admin') { + // Super Admin can delete anyone except themselves +} elseif ($currentUserRole === 'admin') { + // Admin can only delete users in THEIR tenant + if ($targetUser['tenant_id'] !== $decoded['tenant_id']) { + json_error('ليس لديك صلاحية لحذف هذا المستخدم', 403); + } + // Admin cannot delete other admins (only super_admin can) + if ($targetUser['role'] === 'admin' || $targetUser['role'] === 'super_admin') { + json_error('لا يمكنك حذف مدير آخر. فقط السوبر أدمن يمكنه ذلك.', 403); + } +} else { + json_error('غير مصرح لك بحذف المستخدمين', 403); +} + +// 5. Perform Soft Delete +$stmt = $db->prepare("UPDATE users SET deleted_at = NOW(), is_active = 0 WHERE id = ?"); +$stmt->execute([$targetUserId]); + +json_success(null, 'تم حذف المستخدم بنجاح'); diff --git a/public/index.php b/public/index.php index 59b55d6..6984dff 100644 --- a/public/index.php +++ b/public/index.php @@ -21,6 +21,7 @@ $routes = [ 'v1/auth/logout' => ['POST', 'auth/logout.php'], 'v1/users' => ['GET', 'users/index.php'], 'v1/users/create' => ['POST', 'users/create.php'], + 'v1/users/delete' => ['POST', 'users/delete.php'], 'v1/companies' => ['GET', 'companies/index.php'], 'v1/companies/create' => ['POST', 'companies/create.php'], 'v1/invoices/upload' => ['POST', 'invoices/upload.php'], diff --git a/scripts/schema.sql b/scripts/schema.sql index 3252c72..af0eb90 100644 --- a/scripts/schema.sql +++ b/scripts/schema.sql @@ -107,6 +107,7 @@ CREATE TABLE invoices ( grand_total DECIMAL(15,3) DEFAULT 0, currency_code CHAR(3) DEFAULT 'JOD', status ENUM('uploaded','extracting','extracted','validated','validation_failed','submitting','approved','rejected') DEFAULT 'uploaded', + uploaded_by CHAR(36) NULL, original_file_path TEXT NULL, invoice_category VARCHAR(20) DEFAULT 'simplified', validation_errors JSON NULL,