Update: 2026-05-07 01:18:53

2026-05-07 01:18:53 +03:00
parent 8a935dc362
commit f206591c01
3 changed files with 29 additions and 15 deletions
--- a/app/modules_app/batches/create.php
+++ b/app/modules_app/batches/create.php
@@ -36,16 +36,25 @@ $expectedImages = (int)($data['expected_images'] ?? 0);
 // 2. Permission check
 $db = Database::getInstance();
-$stmt = $db->prepare("SELECT id FROM companies WHERE id = ? AND tenant_id = ? AND deleted_at IS NULL");
+$stmt = $db->prepare("SELECT id, tenant_id FROM companies WHERE id = ? AND deleted_at IS NULL");
-$stmt->execute([$companyId, $tenantId]);
+$stmt->execute([$companyId]);
 $company = $stmt->fetch();
-if (!$stmt->fetch()) {
+if (!$company) {
    json_error('الشركة غير موجودة', 404);
 }
 // Check tenant match if not super_admin
 if ($decoded['role'] !== 'super_admin' && $company['tenant_id'] !== $tenantId) {
    json_error('الوصول مرفوض لهذه الشركة', 403);
 }
 // Use the actual tenant of the company
 $targetTenantId = $company['tenant_id'];
 // 3. Check quota (preview — don't increment yet)
 try {
-    QuotaMiddleware::checkInvoiceQuota($tenantId);
+    QuotaMiddleware::checkInvoiceQuota($targetTenantId);
 } catch (\Exception $e) {
    json_error('تم استنفاد رصيد الفواتير لهذا الشهر. قم بترقية باقتك.', 429);
 }
@@ -58,10 +67,10 @@ $stmt = $db->prepare("
    INSERT INTO invoice_batches (id, tenant_id, company_id, uploaded_by, total_images, source, status)
    VALUES (?, ?, ?, ?, ?, ?, 'uploading')
 ");
-$stmt->execute([$batchId, $tenantId, $companyId, $userId, $expectedImages, $source]);
+$stmt->execute([$batchId, $targetTenantId, $companyId, $userId, $expectedImages, $source]);
 // 6. Create upload directory
-$uploadDir = STORAGE_PATH . '/invoices/' . $tenantId . '/' . $companyId . '/batches/' . $batchId;
+$uploadDir = STORAGE_PATH . '/invoices/' . $targetTenantId . '/' . $companyId . '/batches/' . $batchId;
 if (!is_dir($uploadDir)) {
    mkdir($uploadDir, 0755, true);
 }
--- a/app/modules_app/batches/finalize.php
+++ b/app/modules_app/batches/finalize.php
@@ -28,17 +28,19 @@ $db = Database::getInstance();
 // 1. Verify batch
 $stmt = $db->prepare("
-    SELECT id, status, total_images 
+    SELECT id, tenant_id, status, total_images 
    FROM invoice_batches 
-    WHERE id = ? AND tenant_id = ? AND uploaded_by = ?
+    WHERE id = ? AND uploaded_by = ?
 ");
-$stmt->execute([$batchId, $tenantId, $userId]);
+$stmt->execute([$batchId, $userId]);
 $batch = $stmt->fetch();
-if (!$batch) {
+if (!$batch || ($decoded['role'] !== 'super_admin' && $batch['tenant_id'] !== $tenantId)) {
    json_error('الدفعة غير موجودة', 404);
 }
 if ($batch['status'] !== 'uploading') {
    json_error('تم إنهاء هذه الدفعة مسبقاً', 400);
 }
--- a/app/modules_app/batches/upload_image.php
+++ b/app/modules_app/batches/upload_image.php
@@ -28,20 +28,23 @@ if (!$batchId || !isset($_FILES['image']) || $_FILES['image']['error'] !== UPLOA
    json_error("معرّف الدفعة وصورة الفاتورة مطلوبان (كود: {$uploadError})", 422);
 }
-// 2. Verify batch belongs to this tenant and is still uploading
+// 2. Verify batch belongs to this user and tenant
 $db = Database::getInstance();
 $stmt = $db->prepare("
-    SELECT id, company_id, status, total_images 
+    SELECT id, tenant_id, company_id, status, total_images 
    FROM invoice_batches 
-    WHERE id = ? AND tenant_id = ? AND uploaded_by = ?
+    WHERE id = ? AND uploaded_by = ?
 ");
-$stmt->execute([$batchId, $tenantId, $userId]);
+$stmt->execute([$batchId, $userId]);
 $batch = $stmt->fetch();
-if (!$batch) {
+if (!$batch || ($decoded['role'] !== 'super_admin' && $batch['tenant_id'] !== $tenantId)) {
    json_error('الدفعة غير موجودة أو ليس لديك صلاحية', 404);
 }
 // Override tenantId with the actual batch's tenantId
 $tenantId = $batch['tenant_id'];
 if ($batch['status'] !== 'uploading') {
    json_error('لا يمكن إضافة صور لدفعة تمت معالجتها', 400);
 }