fix financial issues
This commit is contained in:
@@ -4,7 +4,6 @@ namespace App\Controllers\View;
|
||||
|
||||
use CodeIgniter\Controller;
|
||||
use CodeIgniter\Exceptions\PageNotFoundException;
|
||||
use Config\Database;
|
||||
|
||||
class FilesController extends Controller
|
||||
{
|
||||
@@ -22,7 +21,11 @@ class FilesController extends Controller
|
||||
throw PageNotFoundException::forPageNotFound();
|
||||
}
|
||||
|
||||
// 3) Build path under writable
|
||||
$expense = $this->expenseRecordForFile($name);
|
||||
if ($expense === null || !$this->canViewExpenseFile($expense)) {
|
||||
return $this->response->setStatusCode(403, 'You are not allowed to access this file.');
|
||||
}
|
||||
|
||||
$path = WRITEPATH . 'uploads/receipts/' . $name;
|
||||
if (!is_file($path)) {
|
||||
throw PageNotFoundException::forPageNotFound();
|
||||
@@ -79,7 +82,11 @@ class FilesController extends Controller
|
||||
throw \CodeIgniter\Exceptions\PageNotFoundException::forPageNotFound();
|
||||
}
|
||||
|
||||
// 3) Build path under writable (REIMBURSEMENTS)
|
||||
$reimbursement = $this->reimbursementRecordForFile($name);
|
||||
if ($reimbursement === null || !$this->canViewReimbursementFile($reimbursement)) {
|
||||
return $this->response->setStatusCode(403, 'You are not allowed to access this file.');
|
||||
}
|
||||
|
||||
$path = WRITEPATH . 'uploads/reimbursements/' . $name;
|
||||
if (!is_file($path)) {
|
||||
throw \CodeIgniter\Exceptions\PageNotFoundException::forPageNotFound();
|
||||
@@ -425,4 +432,69 @@ class FilesController extends Controller
|
||||
|
||||
return $draftSemester === '' || $currentSemester === '' || $draftSemester === $currentSemester;
|
||||
}
|
||||
|
||||
private function expenseRecordForFile(string $name): ?array
|
||||
{
|
||||
return \Config\Database::connect()
|
||||
->table('expenses')
|
||||
->where('receipt_path', $name)
|
||||
->get()
|
||||
->getRowArray();
|
||||
}
|
||||
|
||||
private function reimbursementRecordForFile(string $name): ?array
|
||||
{
|
||||
return \Config\Database::connect()
|
||||
->table('reimbursements')
|
||||
->where('receipt_path', $name)
|
||||
->get()
|
||||
->getRowArray();
|
||||
}
|
||||
|
||||
private function canViewExpenseFile(array $expense): bool
|
||||
{
|
||||
if ($this->hasFinancialStaffAccess()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
$userId = (int) (session()->get('user_id') ?? 0);
|
||||
|
||||
return $userId > 0 && in_array($userId, [
|
||||
(int) ($expense['purchased_by'] ?? 0),
|
||||
(int) ($expense['added_by'] ?? 0),
|
||||
(int) ($expense['approved_by'] ?? 0),
|
||||
], true);
|
||||
}
|
||||
|
||||
private function canViewReimbursementFile(array $reimbursement): bool
|
||||
{
|
||||
if ($this->hasFinancialStaffAccess()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
$userId = (int) (session()->get('user_id') ?? 0);
|
||||
|
||||
return $userId > 0 && in_array($userId, [
|
||||
(int) ($reimbursement['reimbursed_to'] ?? 0),
|
||||
(int) ($reimbursement['approved_by'] ?? 0),
|
||||
(int) ($reimbursement['added_by'] ?? 0),
|
||||
], true);
|
||||
}
|
||||
|
||||
private function hasFinancialStaffAccess(): bool
|
||||
{
|
||||
$roles = array_map('strtolower', (array) (session()->get('roles') ?? []));
|
||||
$activeRole = strtolower((string) (session()->get('role') ?? ''));
|
||||
if ($activeRole !== '' && !in_array($activeRole, $roles, true)) {
|
||||
$roles[] = $activeRole;
|
||||
}
|
||||
|
||||
foreach (['administrator', 'administrative staff', 'principal', 'teacher', 'teacher_assistant'] as $role) {
|
||||
if (in_array($role, $roles, true)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user