API: Add Invoice Items read endpoint

2026-04-18 02:25:40 +00:00 · 2026-04-11 13:32:50 -04:00
parent c1bb1694a0
commit 830f40edee
1 changed files with 71 additions and 0 deletions
--- a/api/v1/invoice_items/read.php
+++ b/api/v1/invoice_items/read.php
@@ -0,0 +1,71 @@
+<?php
+
+/*
+ * API - Invoice Items - Read
+ * GET /api/v1/invoice_items/read.php
+ *
+ * Returns line items belonging to invoices scoped to the API key's client.
+ *
+ * Parameters (GET):
+ *   api_key        required  - Your API key
+ *   invoice_id     optional  - Return items for a single invoice
+ *   item_id        optional  - Return a single line item by its own ID
+ *   limit          optional  - Max rows to return (default 50)
+ *   offset         optional  - Offset for pagination (default 0)
+ *
+ * Security:
+ *   - invoice_items are always joined to invoices so that invoice_client_id
+ *     is checked against the API key's client scope. A scoped key can never
+ *     read items belonging to another client, even when item_id is supplied
+ *     directly.
+ *   - $client_id is set to "%" by validate_api_key.php for All-Clients keys,
+ *     which causes the LIKE to match every client — consistent with other
+ *     endpoints in this API.
+ */
+
+require_once '../validate_api_key.php';
+
+require_once '../require_get_method.php';
+
+
+if (isset($_GET['item_id'])) {
+    // Single line item by item_id — still JOIN to invoices to enforce client scope
+    $item_id = intval($_GET['item_id']);
+
+    $sql = mysqli_query($mysqli,
+        "SELECT ii.*
+         FROM invoice_items ii
+         INNER JOIN invoices i ON i.invoice_id = ii.item_invoice_id
+         WHERE ii.item_id = '$item_id'
+           AND i.invoice_client_id LIKE '$client_id'
+         LIMIT 1"
+    );
+
+} elseif (isset($_GET['invoice_id'])) {
+    // All items on a specific invoice
+    $invoice_id = intval($_GET['invoice_id']);
+
+    $sql = mysqli_query($mysqli,
+        "SELECT ii.*
+         FROM invoice_items ii
+         INNER JOIN invoices i ON i.invoice_id = ii.item_invoice_id
+         WHERE ii.item_invoice_id = '$invoice_id'
+           AND i.invoice_client_id LIKE '$client_id'
+         ORDER BY ii.item_order ASC, ii.item_id ASC
+         LIMIT $limit OFFSET $offset"
+    );
+
+} else {
+    // All items across all invoices in scope (paginated)
+    $sql = mysqli_query($mysqli,
+        "SELECT ii.*
+         FROM invoice_items ii
+         INNER JOIN invoices i ON i.invoice_id = ii.item_invoice_id
+         WHERE i.invoice_client_id LIKE '$client_id'
+         ORDER BY ii.item_invoice_id ASC, ii.item_order ASC, ii.item_id ASC
+         LIMIT $limit OFFSET $offset"
+    );
+}
+
+// Output
+require_once "../read_output.php";