46 lines
1.1 KiB
PHP
46 lines
1.1 KiB
PHP
<?php
|
|
/**
|
|
* Secure File Proxy for Invoices
|
|
*/
|
|
|
|
use App\Core\Database;
|
|
use App\Middleware\AuthMiddleware;
|
|
|
|
$decoded = AuthMiddleware::check();
|
|
$db = Database::getInstance();
|
|
|
|
$id = input('id');
|
|
if (!$id) die('Forbidden');
|
|
|
|
$stmt = $db->prepare("SELECT tenant_id, original_file_path FROM invoices WHERE id = ?");
|
|
$stmt->execute([$id]);
|
|
$invoice = $stmt->fetch();
|
|
|
|
if (!$invoice) die('Not found');
|
|
|
|
// Authorization
|
|
if ($decoded['role'] !== 'super_admin' && $invoice['tenant_id'] !== $decoded['tenant_id']) {
|
|
die('Unauthorized');
|
|
}
|
|
|
|
$filePath = $invoice['original_file_path'];
|
|
|
|
if (!file_exists($filePath)) {
|
|
error_log("FILE PROXY ERROR: File not found at " . $filePath);
|
|
header("HTTP/1.0 404 Not Found");
|
|
exit('File missing');
|
|
}
|
|
|
|
if (!is_readable($filePath)) {
|
|
error_log("FILE PROXY ERROR: File not readable at " . $filePath);
|
|
header("HTTP/1.0 403 Forbidden");
|
|
exit('Permission denied');
|
|
}
|
|
|
|
$mime = mime_content_type($filePath);
|
|
header("Content-Type: $mime");
|
|
header("Content-Length: " . filesize($filePath));
|
|
header("Cache-Control: public, max-age=3600"); // Add caching for speed
|
|
readfile($filePath);
|
|
exit;
|