prepare("SELECT tenant_id, original_file_path FROM invoices WHERE id = ?"); $stmt->execute([$id]); $invoice = $stmt->fetch(); if (!$invoice) die('Not found'); // Authorization if ($decoded['role'] !== 'super_admin' && $invoice['tenant_id'] !== $decoded['tenant_id']) { die('Unauthorized'); } $filePath = $invoice['original_file_path']; if (!file_exists($filePath)) die('File missing'); $mime = mime_content_type($filePath); header("Content-Type: $mime"); header("Content-Length: " . filesize($filePath)); readfile($filePath); exit;