Update: 2026-05-04 02:18:52

app/modules_app/invoices/file.php

@@ -0,0 +1,33 @@
+<?php
+/**
+ * Secure File Proxy for Invoices
+ */
+
+use App\Core\Database;
+use App\Middleware\AuthMiddleware;
+
+$decoded = AuthMiddleware::check();
+$db = Database::getInstance();
+
+$id = input('id');
+if (!$id) die('Forbidden');
+
+$stmt = $db->prepare("SELECT tenant_id, original_file_path FROM invoices WHERE id = ?");
+$stmt->execute([$id]);
+$invoice = $stmt->fetch();
+
+if (!$invoice) die('Not found');
+
+// Authorization
+if ($decoded['role'] !== 'super_admin' && $invoice['tenant_id'] !== $decoded['tenant_id']) {
+    die('Unauthorized');
+}
+
+$filePath = $invoice['original_file_path'];
+if (!file_exists($filePath)) die('File missing');
+
+$mime = mime_content_type($filePath);
+header("Content-Type: $mime");
+header("Content-Length: " . filesize($filePath));
+readfile($filePath);
+exit;