query(" SELECT i.*, t.name as tenant_name, c.name as company_name FROM invoices i LEFT JOIN tenants t ON i.tenant_id = t.id LEFT JOIN companies c ON i.company_id = c.id ORDER BY i.created_at DESC "); } elseif ($role === 'admin') { // Admin sees all invoices in THEIR tenant $stmt = $db->prepare(" SELECT i.*, c.name as company_name FROM invoices i LEFT JOIN companies c ON i.company_id = c.id WHERE i.tenant_id = ? ORDER BY i.created_at DESC "); $stmt->execute([$tenantId]); } else { // Accountant/Viewer: Filter by assigned companies $stmtUser = $db->prepare("SELECT company_id FROM user_company_assignments WHERE user_id = ? AND is_active = 1"); $stmtUser->execute([$userId]); $assignedCompanyIds = $stmtUser->fetchAll(PDO::FETCH_COLUMN); if (empty($assignedCompanyIds)) { json_success([]); } $placeholders = implode(',', array_fill(0, count($assignedCompanyIds), '?')); $stmt = $db->prepare(" SELECT i.*, c.name as company_name FROM invoices i LEFT JOIN companies c ON i.company_id = c.id WHERE i.company_id IN ($placeholders) ORDER BY i.created_at DESC "); $stmt->execute($assignedCompanyIds); } $invoices = $stmt->fetchAll(); // 3. Decrypt sensitive fields for display (Robustly) $decrypt = fn($val) => Encryption::decrypt($val ?? '') ?: ($val ?? '-'); foreach ($invoices as &$inv) { $inv['supplier_name'] = $decrypt($inv['supplier_name']); $inv['supplier_tin'] = $decrypt($inv['supplier_tin']); $inv['buyer_name'] = $decrypt($inv['buyer_name']); if (!empty($inv['company_name'])) { $inv['company_name'] = $decrypt($inv['company_name']); } if (!empty($inv['tenant_name'])) { $inv['tenant_name'] = $decrypt($inv['tenant_name']); } } json_success($invoices); } catch (\Exception $e) { json_error('SQL Error in Invoices List: ' . $e->getMessage(), 500); }