Update: 2026-05-07 01:18:53

app/modules_app/batches/create.php

@@ -36,16 +36,25 @@ $expectedImages = (int)($data['expected_images'] ?? 0);
 
 // 2. Permission check
 $db = Database::getInstance();
-$stmt = $db->prepare("SELECT id FROM companies WHERE id = ? AND tenant_id = ? AND deleted_at IS NULL");
-$stmt->execute([$companyId, $tenantId]);
+$stmt = $db->prepare("SELECT id, tenant_id FROM companies WHERE id = ? AND deleted_at IS NULL");
+$stmt->execute([$companyId]);
+$company = $stmt->fetch();
 
-if (!$stmt->fetch()) {
+if (!$company) {
+    json_error('الشركة غير موجودة', 404);
+}
+
+// Check tenant match if not super_admin
+if ($decoded['role'] !== 'super_admin' && $company['tenant_id'] !== $tenantId) {
     json_error('الوصول مرفوض لهذه الشركة', 403);
 }
 
+// Use the actual tenant of the company
+$targetTenantId = $company['tenant_id'];
+
 // 3. Check quota (preview — don't increment yet)
 try {
-    QuotaMiddleware::checkInvoiceQuota($tenantId);
+    QuotaMiddleware::checkInvoiceQuota($targetTenantId);
 } catch (\Exception $e) {
     json_error('تم استنفاد رصيد الفواتير لهذا الشهر. قم بترقية باقتك.', 429);
 }
@@ -58,10 +67,10 @@ $stmt = $db->prepare("
     INSERT INTO invoice_batches (id, tenant_id, company_id, uploaded_by, total_images, source, status)
     VALUES (?, ?, ?, ?, ?, ?, 'uploading')
 ");
-$stmt->execute([$batchId, $tenantId, $companyId, $userId, $expectedImages, $source]);
+$stmt->execute([$batchId, $targetTenantId, $companyId, $userId, $expectedImages, $source]);
 
 // 6. Create upload directory
-$uploadDir = STORAGE_PATH . '/invoices/' . $tenantId . '/' . $companyId . '/batches/' . $batchId;
+$uploadDir = STORAGE_PATH . '/invoices/' . $targetTenantId . '/' . $companyId . '/batches/' . $batchId;
 if (!is_dir($uploadDir)) {
     mkdir($uploadDir, 0755, true);
 }

app/modules_app/batches/finalize.php

@@ -28,17 +28,19 @@ $db = Database::getInstance();
 
 // 1. Verify batch
 $stmt = $db->prepare("
-    SELECT id, status, total_images 
+    SELECT id, tenant_id, status, total_images 
     FROM invoice_batches 
-    WHERE id = ? AND tenant_id = ? AND uploaded_by = ?
+    WHERE id = ? AND uploaded_by = ?
 ");
-$stmt->execute([$batchId, $tenantId, $userId]);
+$stmt->execute([$batchId, $userId]);
 $batch = $stmt->fetch();
 
-if (!$batch) {
+if (!$batch || ($decoded['role'] !== 'super_admin' && $batch['tenant_id'] !== $tenantId)) {
     json_error('الدفعة غير موجودة', 404);
 }
 
+
+
 if ($batch['status'] !== 'uploading') {
     json_error('تم إنهاء هذه الدفعة مسبقاً', 400);
 }

app/modules_app/batches/upload_image.php

@@ -28,20 +28,23 @@ if (!$batchId || !isset($_FILES['image']) || $_FILES['image']['error'] !== UPLOA
     json_error("معرّف الدفعة وصورة الفاتورة مطلوبان (كود: {$uploadError})", 422);
 }
 
-// 2. Verify batch belongs to this tenant and is still uploading
+// 2. Verify batch belongs to this user and tenant
 $db = Database::getInstance();
 $stmt = $db->prepare("
-    SELECT id, company_id, status, total_images 
+    SELECT id, tenant_id, company_id, status, total_images 
     FROM invoice_batches 
-    WHERE id = ? AND tenant_id = ? AND uploaded_by = ?
+    WHERE id = ? AND uploaded_by = ?
 ");
-$stmt->execute([$batchId, $tenantId, $userId]);
+$stmt->execute([$batchId, $userId]);
 $batch = $stmt->fetch();
 
-if (!$batch) {
+if (!$batch || ($decoded['role'] !== 'super_admin' && $batch['tenant_id'] !== $tenantId)) {
     json_error('الدفعة غير موجودة أو ليس لديك صلاحية', 404);
 }
 
+// Override tenantId with the actual batch's tenantId
+$tenantId = $batch['tenant_id'];
+
 if ($batch['status'] !== 'uploading') {
     json_error('لا يمكن إضافة صور لدفعة تمت معالجتها', 400);
 }