fix financial issues

This commit is contained in:
root
2026-06-01 02:08:27 -04:00
parent 090cb88573
commit 6444b61416
56 changed files with 4196 additions and 1824 deletions
+75 -3
View File
@@ -4,7 +4,6 @@ namespace App\Controllers\View;
use CodeIgniter\Controller;
use CodeIgniter\Exceptions\PageNotFoundException;
use Config\Database;
class FilesController extends Controller
{
@@ -22,7 +21,11 @@ class FilesController extends Controller
throw PageNotFoundException::forPageNotFound();
}
// 3) Build path under writable
$expense = $this->expenseRecordForFile($name);
if ($expense === null || !$this->canViewExpenseFile($expense)) {
return $this->response->setStatusCode(403, 'You are not allowed to access this file.');
}
$path = WRITEPATH . 'uploads/receipts/' . $name;
if (!is_file($path)) {
throw PageNotFoundException::forPageNotFound();
@@ -79,7 +82,11 @@ class FilesController extends Controller
throw \CodeIgniter\Exceptions\PageNotFoundException::forPageNotFound();
}
// 3) Build path under writable (REIMBURSEMENTS)
$reimbursement = $this->reimbursementRecordForFile($name);
if ($reimbursement === null || !$this->canViewReimbursementFile($reimbursement)) {
return $this->response->setStatusCode(403, 'You are not allowed to access this file.');
}
$path = WRITEPATH . 'uploads/reimbursements/' . $name;
if (!is_file($path)) {
throw \CodeIgniter\Exceptions\PageNotFoundException::forPageNotFound();
@@ -425,4 +432,69 @@ class FilesController extends Controller
return $draftSemester === '' || $currentSemester === '' || $draftSemester === $currentSemester;
}
private function expenseRecordForFile(string $name): ?array
{
return \Config\Database::connect()
->table('expenses')
->where('receipt_path', $name)
->get()
->getRowArray();
}
private function reimbursementRecordForFile(string $name): ?array
{
return \Config\Database::connect()
->table('reimbursements')
->where('receipt_path', $name)
->get()
->getRowArray();
}
private function canViewExpenseFile(array $expense): bool
{
if ($this->hasFinancialStaffAccess()) {
return true;
}
$userId = (int) (session()->get('user_id') ?? 0);
return $userId > 0 && in_array($userId, [
(int) ($expense['purchased_by'] ?? 0),
(int) ($expense['added_by'] ?? 0),
(int) ($expense['approved_by'] ?? 0),
], true);
}
private function canViewReimbursementFile(array $reimbursement): bool
{
if ($this->hasFinancialStaffAccess()) {
return true;
}
$userId = (int) (session()->get('user_id') ?? 0);
return $userId > 0 && in_array($userId, [
(int) ($reimbursement['reimbursed_to'] ?? 0),
(int) ($reimbursement['approved_by'] ?? 0),
(int) ($reimbursement['added_by'] ?? 0),
], true);
}
private function hasFinancialStaffAccess(): bool
{
$roles = array_map('strtolower', (array) (session()->get('roles') ?? []));
$activeRole = strtolower((string) (session()->get('role') ?? ''));
if ($activeRole !== '' && !in_array($activeRole, $roles, true)) {
$roles[] = $activeRole;
}
foreach (['administrator', 'administrative staff', 'principal', 'teacher', 'teacher_assistant'] as $role) {
if (in_array($role, $roles, true)) {
return true;
}
}
return false;
}
}