diff --git a/app/modules_app/batches/create.php b/app/modules_app/batches/create.php index 50879cd..fae4831 100644 --- a/app/modules_app/batches/create.php +++ b/app/modules_app/batches/create.php @@ -36,16 +36,25 @@ $expectedImages = (int)($data['expected_images'] ?? 0); // 2. Permission check $db = Database::getInstance(); -$stmt = $db->prepare("SELECT id FROM companies WHERE id = ? AND tenant_id = ? AND deleted_at IS NULL"); -$stmt->execute([$companyId, $tenantId]); +$stmt = $db->prepare("SELECT id, tenant_id FROM companies WHERE id = ? AND deleted_at IS NULL"); +$stmt->execute([$companyId]); +$company = $stmt->fetch(); -if (!$stmt->fetch()) { +if (!$company) { + json_error('الشركة غير موجودة', 404); +} + +// Check tenant match if not super_admin +if ($decoded['role'] !== 'super_admin' && $company['tenant_id'] !== $tenantId) { json_error('الوصول مرفوض لهذه الشركة', 403); } +// Use the actual tenant of the company +$targetTenantId = $company['tenant_id']; + // 3. Check quota (preview — don't increment yet) try { - QuotaMiddleware::checkInvoiceQuota($tenantId); + QuotaMiddleware::checkInvoiceQuota($targetTenantId); } catch (\Exception $e) { json_error('تم استنفاد رصيد الفواتير لهذا الشهر. قم بترقية باقتك.', 429); } @@ -58,10 +67,10 @@ $stmt = $db->prepare(" INSERT INTO invoice_batches (id, tenant_id, company_id, uploaded_by, total_images, source, status) VALUES (?, ?, ?, ?, ?, ?, 'uploading') "); -$stmt->execute([$batchId, $tenantId, $companyId, $userId, $expectedImages, $source]); +$stmt->execute([$batchId, $targetTenantId, $companyId, $userId, $expectedImages, $source]); // 6. Create upload directory -$uploadDir = STORAGE_PATH . '/invoices/' . $tenantId . '/' . $companyId . '/batches/' . $batchId; +$uploadDir = STORAGE_PATH . '/invoices/' . $targetTenantId . '/' . $companyId . '/batches/' . $batchId; if (!is_dir($uploadDir)) { mkdir($uploadDir, 0755, true); } diff --git a/app/modules_app/batches/finalize.php b/app/modules_app/batches/finalize.php index 7e2028e..996e4c8 100644 --- a/app/modules_app/batches/finalize.php +++ b/app/modules_app/batches/finalize.php @@ -28,17 +28,19 @@ $db = Database::getInstance(); // 1. Verify batch $stmt = $db->prepare(" - SELECT id, status, total_images + SELECT id, tenant_id, status, total_images FROM invoice_batches - WHERE id = ? AND tenant_id = ? AND uploaded_by = ? + WHERE id = ? AND uploaded_by = ? "); -$stmt->execute([$batchId, $tenantId, $userId]); +$stmt->execute([$batchId, $userId]); $batch = $stmt->fetch(); -if (!$batch) { +if (!$batch || ($decoded['role'] !== 'super_admin' && $batch['tenant_id'] !== $tenantId)) { json_error('الدفعة غير موجودة', 404); } + + if ($batch['status'] !== 'uploading') { json_error('تم إنهاء هذه الدفعة مسبقاً', 400); } diff --git a/app/modules_app/batches/upload_image.php b/app/modules_app/batches/upload_image.php index 88895ce..b116815 100644 --- a/app/modules_app/batches/upload_image.php +++ b/app/modules_app/batches/upload_image.php @@ -28,20 +28,23 @@ if (!$batchId || !isset($_FILES['image']) || $_FILES['image']['error'] !== UPLOA json_error("معرّف الدفعة وصورة الفاتورة مطلوبان (كود: {$uploadError})", 422); } -// 2. Verify batch belongs to this tenant and is still uploading +// 2. Verify batch belongs to this user and tenant $db = Database::getInstance(); $stmt = $db->prepare(" - SELECT id, company_id, status, total_images + SELECT id, tenant_id, company_id, status, total_images FROM invoice_batches - WHERE id = ? AND tenant_id = ? AND uploaded_by = ? + WHERE id = ? AND uploaded_by = ? "); -$stmt->execute([$batchId, $tenantId, $userId]); +$stmt->execute([$batchId, $userId]); $batch = $stmt->fetch(); -if (!$batch) { +if (!$batch || ($decoded['role'] !== 'super_admin' && $batch['tenant_id'] !== $tenantId)) { json_error('الدفعة غير موجودة أو ليس لديك صلاحية', 404); } +// Override tenantId with the actual batch's tenantId +$tenantId = $batch['tenant_id']; + if ($batch['status'] !== 'uploading') { json_error('لا يمكن إضافة صور لدفعة تمت معالجتها', 400); }