Merge remote-tracking branch 'origin/master'

svc/internal/authz/mssql.go

@@ -1,6 +1,7 @@
 package authz
 
 import (
+	"bssapp-backend/auth"
 	"context"
 	"fmt"
 	"strings"
@@ -10,23 +11,53 @@ func BuildMSSQLPiyasaFilter(
 	ctx context.Context,
 	column string,
 ) string {
+	claims, ok := auth.GetClaimsFromContext(ctx)
+	if ok && claims != nil && claims.IsAdmin() {
+		return "1=1"
+	}
 
 	codes := GetPiyasaCodesFromCtx(ctx)
 
 	if len(codes) == 0 {
-		return "1=1"
+		return "1=0"
 
 	}
+	return BuildMSSQLPiyasaFilterWithCodes(column, codes)
+}
 
-	var quoted []string
+func BuildMSSQLPiyasaFilterWithCodes(column string, codes []string) string {
+	normalizedCol := fmt.Sprintf("UPPER(LTRIM(RTRIM(%s)))", column)
+
+	exact := BuildINClause(normalizedCol, codes)
+	prefixCodes := first3Codes(codes)
+	if len(prefixCodes) == 0 {
+		return exact
+	}
+
+	prefix := BuildINClause(
+		fmt.Sprintf("LEFT(%s, 3)", normalizedCol),
+		prefixCodes,
+	)
+
+	return fmt.Sprintf("(%s OR %s)", exact, prefix)
+}
+
+func first3Codes(codes []string) []string {
+	seen := make(map[string]struct{}, len(codes))
+	out := make([]string, 0, len(codes))
 
 	for _, c := range codes {
-		quoted = append(quoted, "'"+c+"'")
+		n := strings.ToUpper(strings.TrimSpace(c))
+		if len(n) < 3 {
+			continue
+		}
+		n = n[:3]
+		if _, ok := seen[n]; ok {
+			continue
+		}
+		seen[n] = struct{}{}
+		out = append(out, n)
 	}
 
-	return fmt.Sprintf(
+	return out
-		"%s IN (%s)",
-		column,
-		strings.Join(quoted, ","),
-	)
 }

svc/internal/authz/piyasa_repo.go

@@ -3,6 +3,7 @@ package authz
 import (
 	"database/sql"
 	"fmt"
+	"strings"
 	"sync"
 )
 
@@ -35,10 +36,21 @@ func GetUserPiyasaCodes(pg *sql.DB, userID int) ([]string, error) {
 	// DB QUERY
 	// -----------------------------
 	rows, err := pg.Query(`
-		SELECT piyasa_code
+		WITH user_piyasa AS (
-		FROM dfusr_piyasa
+			SELECT TRIM(up.piyasa_code) AS raw_code
-		WHERE dfusr_id = $1
+			FROM dfusr_piyasa up
-		  AND is_allowed = true
+			WHERE up.dfusr_id = $1
+			  AND up.is_allowed = true
+		)
+		SELECT DISTINCT
+			COALESCE(p_code.code, p_title.code, u.raw_code) AS piyasa_code
+		FROM user_piyasa u
+		LEFT JOIN mk_sales_piy p_code
+		  ON UPPER(translate(TRIM(p_code.code),  'çğıöşüÇĞİÖŞÜ', 'CGIOSUCGIOSU'))
+		   = UPPER(translate(TRIM(u.raw_code),   'çğıöşüÇĞİÖŞÜ', 'CGIOSUCGIOSU'))
+		LEFT JOIN mk_sales_piy p_title
+		  ON UPPER(translate(TRIM(p_title.title),'çğıöşüÇĞİÖŞÜ', 'CGIOSUCGIOSU'))
+		   = UPPER(translate(TRIM(u.raw_code),   'çğıöşüÇĞİÖŞÜ', 'CGIOSUCGIOSU'))
 	`, userID)
 	if err != nil {
 		return nil, fmt.Errorf("pg piyasa query error: %w", err)
@@ -46,10 +58,18 @@ func GetUserPiyasaCodes(pg *sql.DB, userID int) ([]string, error) {
 	defer rows.Close()
 
 	var out []string
+	seen := make(map[string]struct{})
 	for rows.Next() {
 		var code string
 		if err := rows.Scan(&code); err == nil {
-			out = append(out, code)
+			code = strings.ToUpper(strings.TrimSpace(code))
+			if code != "" {
+				if _, ok := seen[code]; ok {
+					continue
+				}
+				seen[code] = struct{}{}
+				out = append(out, code)
+			}
 		}
 	}
 

svc/middlewares/authz_v2.go

@@ -537,9 +537,15 @@ func cachedPiyasaIntersectionAny(pg *sql.DB, c *ttlCache, userID, roleID int64,
 	err := pg.QueryRow(`
         SELECT 1
         FROM dfusr_piyasa up
+        LEFT JOIN mk_sales_piy p_code
+          ON UPPER(translate(TRIM(p_code.code),  'çğıöşüÇĞİÖŞÜ', 'CGIOSUCGIOSU'))
+           = UPPER(translate(TRIM(up.piyasa_code), 'çğıöşüÇĞİÖŞÜ', 'CGIOSUCGIOSU'))
+        LEFT JOIN mk_sales_piy p_title
+          ON UPPER(translate(TRIM(p_title.title), 'çğıöşüÇĞİÖŞÜ', 'CGIOSUCGIOSU'))
+           = UPPER(translate(TRIM(up.piyasa_code), 'çğıöşüÇĞİÖŞÜ', 'CGIOSUCGIOSU'))
         WHERE up.dfusr_id = $1
           AND up.is_allowed = true
-          AND up.piyasa_code = ANY($2)
+          AND UPPER(TRIM(COALESCE(p_code.code, p_title.code, up.piyasa_code))) = ANY($2)
         LIMIT 1
     `, userID, pqArray(piyasaCodes)).Scan(&dummy)
 
@@ -988,7 +994,23 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 			}
 
 			// =====================================================
-			// 5️⃣ PASS
+			// 5️⃣ SCOPE CONTEXT ENRICH (for MSSQL piyasa filters)
+			// =====================================================
+			if !claims.IsAdmin() {
+				userPiy, err := authz.GetUserPiyasaCodes(pg, int(claims.ID))
+				if err != nil {
+					log.Printf("❌ AUTHZ: user piyasa resolve error user=%d err=%v", claims.ID, err)
+					http.Error(w, "forbidden", http.StatusForbidden)
+					return
+				}
+
+				if len(userPiy) > 0 {
+					r = r.WithContext(authz.WithPiyasaCodes(r.Context(), normalizeCodes(userPiy)))
+				}
+			}
+
+			// =====================================================
+			// 6️⃣ PASS
 			// =====================================================
 			next.ServeHTTP(w, r)
 		})

svc/queries/account.go

@@ -13,13 +13,48 @@ import (
 
 func GetAccounts(ctx context.Context) ([]models.Account, error) {
 
-	piyasaFilter := authz.BuildMSSQLPiyasaFilter(ctx, "f2.CustomerAtt01")
+	piyasaFilter := authz.BuildMSSQLPiyasaFilter(
+		ctx,
+		"CASE WHEN b.CurrAccTypeCode = 1 THEN vp.VendorAtt01 ELSE f2.CustomerAtt01 END",
+	)
 
 	if strings.TrimSpace(piyasaFilter) == "" {
 		piyasaFilter = "1=1"
 	}
 
 	query := fmt.Sprintf(`
+    ;WITH VendorPiyasa AS
+    (
+        SELECT
+            Cari8 = LEFT(P.CurrAccCode, 8),
+            VendorAtt01 = MAX(P.VendorAtt01)
+        FROM
+        (
+            SELECT
+                CurrAccTypeCode,
+                CurrAccCode,
+                VendorAtt01 = MAX(ISNULL([1], ''))
+            FROM
+            (
+                SELECT
+                    c.CurrAccTypeCode,
+                    c.CurrAccCode,
+                    a.AttributeTypeCode,
+                    a.AttributeCode
+                FROM cdCurrAcc c WITH (NOLOCK)
+                LEFT JOIN prCurrAccAttribute a WITH (NOLOCK)
+                    ON a.CurrAccTypeCode = c.CurrAccTypeCode
+                   AND a.CurrAccCode     = c.CurrAccCode
+                WHERE c.CurrAccTypeCode = 1
+            ) d
+            PIVOT
+            (
+                MAX(AttributeCode) FOR AttributeTypeCode IN ([1])
+            ) pvt
+            GROUP BY CurrAccTypeCode, CurrAccCode
+        ) P
+        GROUP BY LEFT(P.CurrAccCode, 8)
+    )
     SELECT
         x.AccountCode,
         MAX(x.AccountName) AS AccountName
@@ -29,10 +64,16 @@ func GetAccounts(ctx context.Context) ([]models.Account, error) {
             COALESCE(d.CurrAccDescription, '') AS AccountName
         FROM trCurrAccBook b
         LEFT JOIN cdCurrAccDesc d
-            ON d.CurrAccCode = b.CurrAccCode
+            ON d.CurrAccTypeCode = b.CurrAccTypeCode
-        JOIN CustomerAttributesFilter f2
+           AND d.CurrAccCode = b.CurrAccCode
-            ON f2.CurrAccCode = b.CurrAccCode
+           AND d.LangCode = 'TR'
-        WHERE %s
+        LEFT JOIN CustomerAttributesFilter f2
+            ON f2.CurrAccTypeCode = b.CurrAccTypeCode
+           AND f2.CurrAccCode = b.CurrAccCode
+        LEFT JOIN VendorPiyasa vp
+            ON vp.Cari8 = LEFT(b.CurrAccCode, 8)
+        WHERE b.CurrAccTypeCode IN (1,3)
+          AND %s
     ) x
     GROUP BY x.AccountCode
     ORDER BY x.AccountCode

svc/queries/customer_balance_list.go

@@ -314,7 +314,12 @@ ORDER BY F.MasterCari;
 }
 
 func loadBalanceLines(ctx context.Context, selectedDate, cariSearch string) ([]mkCariBakiyeLine, error) {
-	query := `
+	piyasaScope, err := buildPiyasaExistsForCariCode(ctx, "CariKodu")
+	if err != nil {
+		return nil, err
+	}
+
+	query := fmt.Sprintf(`
 	SELECT
 		CurrAccTypeCode,
 		CariKodu,
@@ -326,8 +331,9 @@ func loadBalanceLines(ctx context.Context, selectedDate, cariSearch string) ([]m
 		CAST(0 AS DECIMAL(18,4)) AS Vade_Gun,
 		CAST(0 AS DECIMAL(18,4)) AS Vade_BelgeTarihi_Gun
 	FROM dbo.MK_CARI_BAKIYE_LIST(@SonTarih)
-	WHERE (@CariSearch = '' OR CariKodu LIKE '%' + @CariSearch + '%')
+	WHERE (@CariSearch = '' OR CariKodu LIKE '%%' + @CariSearch + '%%')
-	`
+	  AND %s
+	`, piyasaScope)
 
 	rows, err := db.MssqlDB.QueryContext(ctx, query,
 		sql.Named("SonTarih", selectedDate),

svc/queries/piyasa_scope.go

@@ -0,0 +1,58 @@
+package queries
+
+import (
+	"bssapp-backend/auth"
+	"bssapp-backend/internal/authz"
+	"context"
+	"fmt"
+	"strings"
+)
+
+func resolvePiyasaScopeInClause(ctx context.Context, column string) (string, error) {
+	claims, ok := auth.GetClaimsFromContext(ctx)
+	if !ok || claims == nil {
+		return "", fmt.Errorf("unauthorized: claims not found")
+	}
+	if claims.IsAdmin() {
+		return "1=1", nil
+	}
+
+	rawCodes := authz.GetPiyasaCodesFromCtx(ctx)
+	codes := normalizePiyasaCodes(rawCodes)
+	if len(codes) == 0 {
+		return "1=0", nil
+	}
+	return authz.BuildMSSQLPiyasaFilterWithCodes(column, codes), nil
+}
+
+func buildPiyasaExistsForCariCode(ctx context.Context, cariCodeExpr string) (string, error) {
+	inClause, err := resolvePiyasaScopeInClause(ctx, "PF.CustomerAtt01")
+	if err != nil {
+		return "", err
+	}
+
+	return fmt.Sprintf(`
+EXISTS (
+	SELECT 1
+	FROM CustomerAttributesFilter PF WITH(NOLOCK)
+	WHERE (PF.CurrAccCode = %s OR LEFT(PF.CurrAccCode, 8) = LEFT(%s, 8))
+	  AND %s
+)`, cariCodeExpr, cariCodeExpr, inClause), nil
+}
+
+func normalizePiyasaCodes(codes []string) []string {
+	out := make([]string, 0, len(codes))
+	seen := make(map[string]struct{}, len(codes))
+	for _, c := range codes {
+		n := strings.ToUpper(strings.TrimSpace(c))
+		if n == "" {
+			continue
+		}
+		if _, ok := seen[n]; ok {
+			continue
+		}
+		seen[n] = struct{}{}
+		out = append(out, n)
+	}
+	return out
+}

svc/queries/statement_aging_balance_list.go

@@ -182,7 +182,12 @@ func GetStatementAgingBalanceList(ctx context.Context, params models.CustomerBal
 }
 
 func loadAgingBalanceLines(ctx context.Context, cariSearch string) ([]mkCariBakiyeLine, error) {
-	query := `
+	piyasaScope, err := buildPiyasaExistsForCariCode(ctx, "LTRIM(RTRIM(CariKodu))")
+	if err != nil {
+		return nil, err
+	}
+
+	query := fmt.Sprintf(`
 	SELECT
 		CurrAccTypeCode,
 		CariKodu = LTRIM(RTRIM(CariKodu)),
@@ -194,9 +199,10 @@ func loadAgingBalanceLines(ctx context.Context, cariSearch string) ([]mkCariBaki
 		Vade_Gun,
 		Vade_BelgeTarihi_Gun
 	FROM dbo.CARI_BAKIYE_GUN_CACHE
-	WHERE (@CariSearch = '' OR LTRIM(RTRIM(CariKodu)) LIKE '%' + @CariSearch + '%')
+	WHERE (@CariSearch = '' OR LTRIM(RTRIM(CariKodu)) LIKE '%%' + @CariSearch + '%%')
+	  AND %s
 	ORDER BY CariKodu, CariDoviz, PislemTipi
-	`
+	`, piyasaScope)
 
 	rows, err := db.MssqlDB.QueryContext(ctx, query, sql.Named("CariSearch", strings.TrimSpace(cariSearch)))
 	if err != nil {

svc/queries/statement_header.go

@@ -3,13 +3,14 @@ package queries
 import (
 	"bssapp-backend/db"
 	"bssapp-backend/models"
+	"context"
 	"database/sql"
 	"fmt"
 	"strings"
 )
 
 // Ana tabloyu getiren fonksiyon (Vue header tablosu için)
-func GetStatements(params models.StatementParams) ([]models.StatementHeader, error) {
+func GetStatements(ctx context.Context, params models.StatementParams) ([]models.StatementHeader, error) {
 
 	// AccountCode normalize: "ZLA0127" → "ZLA 0127"
 	params.AccountCode = normalizeMasterAccountCode(params.AccountCode)
@@ -33,6 +34,11 @@ func GetStatements(params models.StatementParams) ([]models.StatementHeader, err
 		}
 	}
 
+	piyasaScope, err := buildPiyasaExistsForCariCode(ctx, "b.CurrAccCode")
+	if err != nil {
+		return nil, err
+	}
+
 	query := fmt.Sprintf(`
 ;WITH CurrDesc AS (
     SELECT
@@ -58,6 +64,7 @@ HasMovement AS (
              AND f.ATAtt01 IN (%s)
             WHERE LEFT(REPLACE(b.CurrAccCode, ' ', ''), 7) = REPLACE(@Carikod, ' ', '')
               AND b.DocumentDate BETWEEN @startdate AND @enddate
+              AND %s
         ) THEN 1 ELSE 0 END AS HasMov
 ),
 
@@ -79,6 +86,7 @@ Opening AS (
       ON c.CurrAccBookID = b.CurrAccBookID
      AND c.CurrencyCode  = b.DocCurrencyCode
     WHERE LEFT(REPLACE(b.CurrAccCode, ' ', ''), 7) = REPLACE(@Carikod, ' ', '')
+      AND %s
       AND (
             (hm.HasMov = 1 AND b.DocumentDate <  @startdate)  -- hareket varsa: klasik devir
          OR (hm.HasMov = 0 AND b.DocumentDate <= @enddate)    -- hareket yoksa: enddate itibariyle bakiye
@@ -135,6 +143,7 @@ Movements AS (
      AND c.CurrencyCode  = b.DocCurrencyCode
 
     WHERE LEFT(REPLACE(b.CurrAccCode, ' ', ''), 7) = REPLACE(@Carikod, ' ', '')
+      AND %s
       AND b.DocumentDate BETWEEN @startdate AND @enddate
 )
 
@@ -201,12 +210,15 @@ ORDER BY
     Para_Birimi,
     Belge_Tarihi;
 `,
-		parislemFilter, // HasMovement
+		parislemFilter, // HasMovement ATAtt01
-		parislemFilter, // Opening
+		piyasaScope,    // HasMovement piyasa scope
-		parislemFilter, // Movements
+		parislemFilter, // Opening ATAtt01
+		piyasaScope,    // Opening piyasa scope
+		parislemFilter, // Movements ATAtt01
+		piyasaScope,    // Movements piyasa scope
 	)
 
-	rows, err := db.MssqlDB.Query(query,
+	rows, err := db.MssqlDB.QueryContext(ctx, query,
 		sql.Named("startdate", params.StartDate),
 		sql.Named("enddate", params.EndDate),
 		sql.Named("Carikod", params.AccountCode),

svc/queries/statement_header_pdf.go

@@ -2,11 +2,12 @@ package queries
 
 import (
 	"bssapp-backend/models"
+	"context"
 	"log"
 )
 
-func GetStatementsHPDF(accountCode, startDate, endDate string, parislemler []string) ([]models.StatementHeader, []string, error) {
+func GetStatementsHPDF(ctx context.Context, accountCode, startDate, endDate string, parislemler []string) ([]models.StatementHeader, []string, error) {
-	headers, err := getStatementsForPDF(accountCode, startDate, endDate, parislemler)
+	headers, err := getStatementsForPDF(ctx, accountCode, startDate, endDate, parislemler)
 	if err != nil {
 		log.Printf("Header query error: %v", err)
 		return nil, nil, err

svc/queries/statement_pdf_common.go

@@ -1,14 +1,18 @@
 package queries
 
-import "bssapp-backend/models"
+import (
+	"bssapp-backend/models"
+	"context"
+)
 
 func getStatementsForPDF(
+	ctx context.Context,
 	accountCode string,
 	startDate string,
 	endDate string,
 	parislemler []string,
 ) ([]models.StatementHeader, error) {
-	return GetStatements(models.StatementParams{
+	return GetStatements(ctx, models.StatementParams{
 		AccountCode: accountCode,
 		StartDate:   startDate,
 		EndDate:     endDate,

svc/queries/statements_detail.go

@@ -3,15 +3,14 @@ package queries
 import (
 	"bssapp-backend/db"
 	"bssapp-backend/models"
+	"context"
 	"database/sql"
 	"fmt"
 	"strings"
 )
 
-/* ============================ DETAIL (ALT TABLO) ============================ */
+// DETAIL (ALT TABLO)
-
+func GetStatementDetails(ctx context.Context, accountCode, startDate, endDate string, parislemler []string) ([]models.StatementDetail, error) {
-func GetStatementDetails(accountCode, startDate, endDate string, parislemler []string) ([]models.StatementDetail, error) {
-	// Parislemler filtresi hazırlanır (ör: 1,2,3)
 	inParislem := ""
 	if len(parislemler) > 0 {
 		pp := make([]string, len(parislemler))
@@ -20,87 +19,84 @@ func GetStatementDetails(accountCode, startDate, endDate string, parislemler []s
 		}
 		inParislem = strings.Join(pp, ",")
 	}
+
+	piyasaScope, err := buildPiyasaExistsForCariCode(ctx, "a.CurrAccCode")
+	if err != nil {
+		return nil, err
+	}
+
 	query := fmt.Sprintf(`
 SELECT
     CONVERT(varchar(10), a.InvoiceDate, 23) AS Belge_Tarihi,
     a.InvoiceNumber                         AS Belge_Ref_Numarasi,
-    COALESCE(MAX(AnaGrupDesc.AttributeDescription), '')   AS Urun_Ana_Grubu,
+    COALESCE(MAX(AnaGrupDesc.AttributeDescription), '') AS Urun_Ana_Grubu,
-    COALESCE(MAX(AltGrupDesc.AttributeDescription), '')   AS Urun_Alt_Grubu,
+    COALESCE(MAX(AltGrupDesc.AttributeDescription), '') AS Urun_Alt_Grubu,
-    COALESCE(MAX(GarsonDesc.AttributeDescription), '')    AS Yetiskin_Garson,
+    COALESCE(MAX(GarsonDesc.AttributeDescription), '')  AS Yetiskin_Garson,
-    COALESCE(MAX(FitDesc.AttributeDescription), '')       AS Fit,
+    COALESCE(MAX(FitDesc.AttributeDescription), '')     AS Fit,
-    COALESCE(MAX(KisaKarDesc.AttributeDescription), '')   AS Icerik,
+    COALESCE(MAX(KisaKarDesc.AttributeDescription), '') AS Icerik,
-    a.ItemCode       AS Urun_Kodu,
+    a.ItemCode  AS Urun_Kodu,
-    a.ColorCode      AS Urun_Rengi,
+    a.ColorCode AS Urun_Rengi,
     SUM(a.Qty1) AS Toplam_Adet,
-
+    CAST(SUM(a.Qty1 * ABS(a.Doc_Price)) / NULLIF(SUM(a.Qty1),0) AS numeric(18,4)) AS Doviz_Fiyat,
-CAST(
+    CAST(SUM(a.Qty1 * ABS(a.Doc_Price)) AS numeric(18,2)) AS Toplam_Tutar
-    SUM(a.Qty1 * ABS(a.Doc_Price)) 
-    / NULLIF(SUM(a.Qty1),0)
-AS numeric(18,4)) AS Doviz_Fiyat,
-
-CAST(
-    SUM(a.Qty1 * ABS(a.Doc_Price)) 
-AS numeric(18,2)) AS Toplam_Tutar
-
 FROM AllInvoicesWithAttributes a
 LEFT JOIN prItemAttribute AnaGrup
-    ON a.ItemCode = AnaGrup.ItemCode AND AnaGrup.AttributeTypeCode = 1
+  ON a.ItemCode = AnaGrup.ItemCode AND AnaGrup.AttributeTypeCode = 1
 LEFT JOIN cdItemAttributeDesc AnaGrupDesc
-    ON AnaGrup.AttributeTypeCode = AnaGrupDesc.AttributeTypeCode
+  ON AnaGrup.AttributeTypeCode = AnaGrupDesc.AttributeTypeCode
-   AND AnaGrup.AttributeCode     = AnaGrupDesc.AttributeCode
+ AND AnaGrup.AttributeCode     = AnaGrupDesc.AttributeCode
-   AND AnaGrup.ItemTypeCode      = AnaGrupDesc.ItemTypeCode
+ AND AnaGrup.ItemTypeCode      = AnaGrupDesc.ItemTypeCode
-
 LEFT JOIN prItemAttribute AltGrup
-    ON a.ItemCode = AltGrup.ItemCode AND AltGrup.AttributeTypeCode = 2
+  ON a.ItemCode = AltGrup.ItemCode AND AltGrup.AttributeTypeCode = 2
 LEFT JOIN cdItemAttributeDesc AltGrupDesc
-    ON AltGrup.AttributeTypeCode = AltGrupDesc.AttributeTypeCode
+  ON AltGrup.AttributeTypeCode = AltGrupDesc.AttributeTypeCode
-   AND AltGrup.AttributeCode     = AltGrupDesc.AttributeCode
+ AND AltGrup.AttributeCode     = AltGrupDesc.AttributeCode
-   AND AltGrup.ItemTypeCode      = AltGrupDesc.ItemTypeCode
+ AND AltGrup.ItemTypeCode      = AltGrupDesc.ItemTypeCode
-
 LEFT JOIN prItemAttribute Garson
-    ON a.ItemCode = Garson.ItemCode AND Garson.AttributeTypeCode = 44
+  ON a.ItemCode = Garson.ItemCode AND Garson.AttributeTypeCode = 44
 LEFT JOIN cdItemAttributeDesc GarsonDesc
-    ON Garson.AttributeTypeCode = GarsonDesc.AttributeTypeCode
+  ON Garson.AttributeTypeCode = GarsonDesc.AttributeTypeCode
-   AND Garson.AttributeCode     = GarsonDesc.AttributeCode
+ AND Garson.AttributeCode     = GarsonDesc.AttributeCode
-   AND Garson.ItemTypeCode      = GarsonDesc.ItemTypeCode
+ AND Garson.ItemTypeCode      = GarsonDesc.ItemTypeCode
-
 LEFT JOIN prItemAttribute FitTbl
-    ON a.ItemCode = FitTbl.ItemCode AND FitTbl.AttributeTypeCode = 38
+  ON a.ItemCode = FitTbl.ItemCode AND FitTbl.AttributeTypeCode = 38
 LEFT JOIN cdItemAttributeDesc FitDesc
-    ON FitTbl.AttributeTypeCode = FitDesc.AttributeTypeCode
+  ON FitTbl.AttributeTypeCode = FitDesc.AttributeTypeCode
-   AND FitTbl.AttributeCode     = FitDesc.AttributeCode
+ AND FitTbl.AttributeCode     = FitDesc.AttributeCode
-   AND FitTbl.ItemTypeCode      = FitDesc.ItemTypeCode
+ AND FitTbl.ItemTypeCode      = FitDesc.ItemTypeCode
-
 LEFT JOIN prItemAttribute KisaKar
-    ON a.ItemCode = KisaKar.ItemCode AND KisaKar.AttributeTypeCode = 41
+  ON a.ItemCode = KisaKar.ItemCode AND KisaKar.AttributeTypeCode = 41
 LEFT JOIN cdItemAttributeDesc KisaKarDesc
-    ON KisaKar.AttributeTypeCode = KisaKarDesc.AttributeTypeCode
+  ON KisaKar.AttributeTypeCode = KisaKarDesc.AttributeTypeCode
-   AND KisaKar.AttributeCode     = KisaKarDesc.AttributeCode
+ AND KisaKar.AttributeCode     = KisaKarDesc.AttributeCode
-   AND KisaKar.ItemTypeCode      = KisaKarDesc.ItemTypeCode
+ AND KisaKar.ItemTypeCode      = KisaKarDesc.ItemTypeCode
 WHERE a.CurrAccCode LIKE @Carikod
   AND a.InvoiceDate BETWEEN @StartDate AND @EndDate
+  AND %s
   %s
 GROUP BY a.InvoiceDate, a.InvoiceNumber, a.ItemCode, a.ColorCode
 ORDER BY Belge_Tarihi, Belge_Ref_Numarasi, Urun_Kodu;`,
+		piyasaScope,
 		func() string {
 			if inParislem == "" {
 				return ""
 			}
 			return fmt.Sprintf(`AND EXISTS (
-                SELECT 1 
+				SELECT 1
-                FROM CurrAccBookATAttributesFilter f
+				FROM CurrAccBookATAttributesFilter f
-                WHERE f.CurrAccBookID = a.CurrAccBookID
+				WHERE f.CurrAccBookID = a.CurrAccBookID
-                  AND f.ATAtt01 IN (%s)
+				  AND f.ATAtt01 IN (%s)
-            )`, inParislem)
+			)`, inParislem)
 		}(),
 	)
-	rows, err := db.MssqlDB.Query(query,
+
+	rows, err := db.MssqlDB.QueryContext(ctx, query,
 		sql.Named("Carikod", "%"+accountCode+"%"),
 		sql.Named("StartDate", startDate),
 		sql.Named("EndDate", endDate),
 	)
 	if err != nil {
-		return nil, fmt.Errorf("detay sorgu hatası: %v", err)
+		return nil, fmt.Errorf("detay sorgu hatasi: %v", err)
 	}
 	defer rows.Close()
 

svc/queries/statements_pdf.go

@@ -4,14 +4,15 @@ package queries
 import (
 	"bssapp-backend/db"
 	"bssapp-backend/models"
+	"context"
 	"database/sql"
 	"fmt"
 	"log"
 	"strings"
 )
 
-func GetStatementsPDF(accountCode, startDate, endDate string, parislemler []string) ([]models.StatementHeader, []string, error) {
+func GetStatementsPDF(ctx context.Context, accountCode, startDate, endDate string, parislemler []string) ([]models.StatementHeader, []string, error) {
-	headers, err := getStatementsForPDF(accountCode, startDate, endDate, parislemler)
+	headers, err := getStatementsForPDF(ctx, accountCode, startDate, endDate, parislemler)
 	if err != nil {
 		log.Printf("Header query error: %v", err)
 		return nil, nil, err

svc/queries/user_detail.go

@@ -52,12 +52,19 @@ ORDER BY d.code
 // 🌍 PIYASALAR
 // ======================================================
 const GetUserPiyasalar = `
-SELECT p.code, p.title
+SELECT
+  COALESCE(p_code.code, p_title.code, up.piyasa_code) AS code,
+  COALESCE(p_code.title, p_title.title, up.piyasa_code) AS title
 FROM dfusr_piyasa up
-JOIN mk_sales_piy p ON p.code = up.piyasa_code
+LEFT JOIN mk_sales_piy p_code
+  ON UPPER(translate(TRIM(p_code.code),  'çğıöşüÇĞİÖŞÜ', 'CGIOSUCGIOSU'))
+   = UPPER(translate(TRIM(up.piyasa_code), 'çğıöşüÇĞİÖŞÜ', 'CGIOSUCGIOSU'))
+LEFT JOIN mk_sales_piy p_title
+  ON UPPER(translate(TRIM(p_title.title), 'çğıöşüÇĞİÖŞÜ', 'CGIOSUCGIOSU'))
+   = UPPER(translate(TRIM(up.piyasa_code), 'çğıöşüÇĞİÖŞÜ', 'CGIOSUCGIOSU'))
 WHERE up.dfusr_id = $1
   AND up.is_allowed = true
-ORDER BY p.code
+ORDER BY 1
 `
 
 // ======================================================

svc/routes/statement_detail.go

@@ -25,7 +25,7 @@ func GetStatementDetailsHandler(w http.ResponseWriter, r *http.Request) {
 	endDate := r.URL.Query().Get("enddate")
 	parislemler := r.URL.Query()["parislemler"]
 
-	details, err := queries.GetStatementDetails(accountCode, startDate, endDate, parislemler)
+	details, err := queries.GetStatementDetails(r.Context(), accountCode, startDate, endDate, parislemler)
 	if err != nil {
 		http.Error(w, "Error fetching statement details: "+err.Error(), http.StatusInternalServerError)
 		return

svc/routes/statement_header.go

@@ -25,7 +25,7 @@ func GetStatementHeadersHandler(w http.ResponseWriter, r *http.Request) {
 		Parislemler: r.URL.Query()["parislemler"],
 	}
 
-	statements, err := queries.GetStatements(params)
+	statements, err := queries.GetStatements(r.Context(), params)
 	if err != nil {
 		http.Error(w, "Error fetching statements: "+err.Error(), http.StatusInternalServerError)
 		return

svc/routes/statement_header_pdf.go

@@ -292,7 +292,7 @@ func ExportStatementHeaderReportPDFHandler(mssql *sql.DB) http.HandlerFunc {
 			}
 		}
 
-		headers, _, err := queries.GetStatementsHPDF(accountCode, startDate, endDate, parislemler)
+		headers, _, err := queries.GetStatementsHPDF(r.Context(), accountCode, startDate, endDate, parislemler)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return

svc/routes/statements_pdf.go

@@ -445,7 +445,7 @@ func ExportPDFHandler(mssql *sql.DB) http.HandlerFunc {
 			accountCode, startDate, endDate, parislemler)
 
 		// 1) Header verileri
-		headers, belgeNos, err := queries.GetStatementsPDF(accountCode, startDate, endDate, parislemler)
+		headers, belgeNos, err := queries.GetStatementsPDF(r.Context(), accountCode, startDate, endDate, parislemler)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return

svc/routes/user_detail.go

@@ -3,8 +3,10 @@ package routes
 import (
 	"bssapp-backend/auth"
 	"bssapp-backend/internal/auditlog"
+	"bssapp-backend/internal/authz"
 	"bssapp-backend/internal/mailer"
 	"bssapp-backend/internal/security"
+	"bssapp-backend/middlewares"
 	"bssapp-backend/models"
 	"bssapp-backend/queries"
 	"bytes"
@@ -323,6 +325,9 @@ func handleUserUpdate(db *sql.DB, w http.ResponseWriter, r *http.Request, userID
 		return
 	}
 
+	authz.ClearPiyasaCache(int(userID))
+	middlewares.ClearAuthzScopeCacheForUser(userID)
+
 	_ = json.NewEncoder(w).Encode(map[string]any{"success": true})
 }
 
@@ -424,6 +429,9 @@ func handleUserDelete(db *sql.DB, w http.ResponseWriter, r *http.Request, userID
 		return
 	}
 
+	authz.ClearPiyasaCache(int(userID))
+	middlewares.ClearAuthzScopeCacheForUser(userID)
+
 	if claims != nil {
 		auditlog.Enqueue(r.Context(), auditlog.ActivityLog{
 			ActionType:     "user_delete",

ui/.quasar/prod-spa/app.js

@@ -0,0 +1,75 @@
+/* eslint-disable */
+/**
+ * THIS FILE IS GENERATED AUTOMATICALLY.
+ * DO NOT EDIT.
+ *
+ * You are probably looking on adding startup/initialization code.
+ * Use "quasar new boot <name>" and add it there.
+ * One boot file per concern. Then reference the file(s) in quasar.config file > boot:
+ * boot: ['file', ...] // do not add ".js" extension to it.
+ *
+ * Boot files are your "main.js"
+ **/
+
+
+
+
+
+import { Quasar } from 'quasar'
+import { markRaw } from 'vue'
+import RootComponent from 'app/src/App.vue'
+
+import createStore from 'app/src/stores/index'
+import createRouter from 'app/src/router/index'
+
+
+
+
+
+export default async function (createAppFn, quasarUserOptions) {
+  
+
+  // Create the app instance.
+  // Here we inject into it the Quasar UI, the router & possibly the store.
+  const app = createAppFn(RootComponent)
+
+  
+
+  app.use(Quasar, quasarUserOptions)
+
+  
+
+  
+    const store = typeof createStore === 'function'
+      ? await createStore({})
+      : createStore
+
+    
+      app.use(store)
+
+      
+    
+  
+
+  const router = markRaw(
+    typeof createRouter === 'function'
+      ? await createRouter({store})
+      : createRouter
+  )
+
+  
+    // make router instance available in store
+    
+      store.use(({ store }) => { store.router = router })
+    
+  
+
+  // Expose the app, the router and the store.
+  // Note that we are not mounting the app here, since bootstrapping will be
+  // different depending on whether we are in a browser or on the server.
+  return {
+    app,
+    store,
+    router
+  }
+}

ui/.quasar/prod-spa/client-entry.js

@@ -0,0 +1,154 @@
+/* eslint-disable */
+/**
+ * THIS FILE IS GENERATED AUTOMATICALLY.
+ * DO NOT EDIT.
+ *
+ * You are probably looking on adding startup/initialization code.
+ * Use "quasar new boot <name>" and add it there.
+ * One boot file per concern. Then reference the file(s) in quasar.config file > boot:
+ * boot: ['file', ...] // do not add ".js" extension to it.
+ *
+ * Boot files are your "main.js"
+ **/
+
+
+import { createApp } from 'vue'
+
+
+
+
+
+
+
+import '@quasar/extras/roboto-font/roboto-font.css'
+
+import '@quasar/extras/material-icons/material-icons.css'
+
+
+
+
+// We load Quasar stylesheet file
+import 'quasar/dist/quasar.sass'
+
+
+
+
+import 'src/css/app.css'
+
+
+import createQuasarApp from './app.js'
+import quasarUserOptions from './quasar-user-options.js'
+
+
+
+
+
+
+
+
+const publicPath = `/`
+
+
+async function start ({
+  app,
+  router
+  , store
+}, bootFiles) {
+  
+  let hasRedirected = false
+  const getRedirectUrl = url => {
+    try { return router.resolve(url).href }
+    catch (err) {}
+
+    return Object(url) === url
+      ? null
+      : url
+  }
+  const redirect = url => {
+    hasRedirected = true
+
+    if (typeof url === 'string' && /^https?:\/\//.test(url)) {
+      window.location.href = url
+      return
+    }
+
+    const href = getRedirectUrl(url)
+
+    // continue if we didn't fail to resolve the url
+    if (href !== null) {
+      window.location.href = href
+      window.location.reload()
+    }
+  }
+
+  const urlPath = window.location.href.replace(window.location.origin, '')
+
+  for (let i = 0; hasRedirected === false && i < bootFiles.length; i++) {
+    try {
+      await bootFiles[i]({
+        app,
+        router,
+        store,
+        ssrContext: null,
+        redirect,
+        urlPath,
+        publicPath
+      })
+    }
+    catch (err) {
+      if (err && err.url) {
+        redirect(err.url)
+        return
+      }
+
+      console.error('[Quasar] boot error:', err)
+      return
+    }
+  }
+
+  if (hasRedirected === true) return
+  
+
+  app.use(router)
+
+  
+
+    
+
+    
+      app.mount('#q-app')
+    
+  
+
+}
+
+createQuasarApp(createApp, quasarUserOptions)
+
+  .then(app => {
+    // eventually remove this when Cordova/Capacitor/Electron support becomes old
+    const [ method, mapFn ] = Promise.allSettled !== void 0
+      ? [
+        'allSettled',
+        bootFiles => bootFiles.map(result => {
+          if (result.status === 'rejected') {
+            console.error('[Quasar] boot error:', result.reason)
+            return
+          }
+          return result.value.default
+        })
+      ]
+      : [
+        'all',
+        bootFiles => bootFiles.map(entry => entry.default)
+      ]
+
+    return Promise[ method ]([
+      
+      import(/* webpackMode: "eager" */ 'boot/dayjs')
+      
+    ]).then(bootFiles => {
+      const boot = mapFn(bootFiles).filter(entry => typeof entry === 'function')
+      start(app, boot)
+    })
+  })
+

ui/.quasar/prod-spa/client-prefetch.js

@@ -0,0 +1,116 @@
+/* eslint-disable */
+/**
+ * THIS FILE IS GENERATED AUTOMATICALLY.
+ * DO NOT EDIT.
+ *
+ * You are probably looking on adding startup/initialization code.
+ * Use "quasar new boot <name>" and add it there.
+ * One boot file per concern. Then reference the file(s) in quasar.config file > boot:
+ * boot: ['file', ...] // do not add ".js" extension to it.
+ *
+ * Boot files are your "main.js"
+ **/
+
+
+
+import App from 'app/src/App.vue'
+let appPrefetch = typeof App.preFetch === 'function'
+  ? App.preFetch
+  : (
+    // Class components return the component options (and the preFetch hook) inside __c property
+    App.__c !== void 0 && typeof App.__c.preFetch === 'function'
+      ? App.__c.preFetch
+      : false
+    )
+
+
+function getMatchedComponents (to, router) {
+  const route = to
+    ? (to.matched ? to : router.resolve(to).route)
+    : router.currentRoute.value
+
+  if (!route) { return [] }
+
+  const matched = route.matched.filter(m => m.components !== void 0)
+
+  if (matched.length === 0) { return [] }
+
+  return Array.prototype.concat.apply([], matched.map(m => {
+    return Object.keys(m.components).map(key => {
+      const comp = m.components[key]
+      return {
+        path: m.path,
+        c: comp
+      }
+    })
+  }))
+}
+
+export function addPreFetchHooks ({ router, store, publicPath }) {
+  // Add router hook for handling preFetch.
+  // Doing it after initial route is resolved so that we don't double-fetch
+  // the data that we already have. Using router.beforeResolve() so that all
+  // async components are resolved.
+  router.beforeResolve((to, from, next) => {
+    const
+      urlPath = window.location.href.replace(window.location.origin, ''),
+      matched = getMatchedComponents(to, router),
+      prevMatched = getMatchedComponents(from, router)
+
+    let diffed = false
+    const preFetchList = matched
+      .filter((m, i) => {
+        return diffed || (diffed = (
+          !prevMatched[i] ||
+          prevMatched[i].c !== m.c ||
+          m.path.indexOf('/:') > -1 // does it has params?
+        ))
+      })
+      .filter(m => m.c !== void 0 && (
+        typeof m.c.preFetch === 'function'
+        // Class components return the component options (and the preFetch hook) inside __c property
+        || (m.c.__c !== void 0 && typeof m.c.__c.preFetch === 'function')
+      ))
+      .map(m => m.c.__c !== void 0 ? m.c.__c.preFetch : m.c.preFetch)
+
+    
+    if (appPrefetch !== false) {
+      preFetchList.unshift(appPrefetch)
+      appPrefetch = false
+    }
+    
+
+    if (preFetchList.length === 0) {
+      return next()
+    }
+
+    let hasRedirected = false
+    const redirect = url => {
+      hasRedirected = true
+      next(url)
+    }
+    const proceed = () => {
+      
+      if (hasRedirected === false) { next() }
+    }
+
+    
+
+    preFetchList.reduce(
+      (promise, preFetch) => promise.then(() => hasRedirected === false && preFetch({
+        store,
+        currentRoute: to,
+        previousRoute: from,
+        redirect,
+        urlPath,
+        publicPath
+      })),
+      Promise.resolve()
+    )
+    .then(proceed)
+    .catch(e => {
+      console.error(e)
+      proceed()
+    })
+  })
+}

ui/.quasar/prod-spa/quasar-user-options.js

@@ -0,0 +1,23 @@
+/* eslint-disable */
+/**
+ * THIS FILE IS GENERATED AUTOMATICALLY.
+ * DO NOT EDIT.
+ *
+ * You are probably looking on adding startup/initialization code.
+ * Use "quasar new boot <name>" and add it there.
+ * One boot file per concern. Then reference the file(s) in quasar.config file > boot:
+ * boot: ['file', ...] // do not add ".js" extension to it.
+ *
+ * Boot files are your "main.js"
+ **/
+
+import lang from 'quasar/lang/tr.js'
+
+
+
+import {Loading,Dialog,Notify} from 'quasar'
+
+
+
+export default { config: {"notify":{"position":"top","timeout":2500}},lang,plugins: {Loading,Dialog,Notify} }
+

ui/src/css/app.css

@@ -1262,9 +1262,16 @@ body {
   padding: 6px 8px !important;
 }
 
-/* Güvenli z-index hiyerarşisi */
+/* Mobile drawer touch-fix: drawer must stay above its backdrop */
-.q-header { z-index: 1000 !important; } /* header en üstte */
+.q-drawer__backdrop {
-.q-drawer { z-index: 950 !important; }  /* drawer header’ın altında */
+  z-index: 2999 !important;
+}
+.q-drawer {
+  z-index: 3000 !important;
+}
+.q-header {
+  z-index: 3001 !important;
+}
 
 /* Mobile */
 @media (max-width: 768px) {

ui/src/layouts/MainLayout.vue

@@ -31,7 +31,7 @@
       class="bg-secondary text-white"
     >
 
-      <q-scroll-area style="height:100%">
+      <div class="drawer-scroll">
 
         <q-list padding>
 
@@ -106,7 +106,7 @@
 
         </q-list>
 
-      </q-scroll-area>
+      </div>
 
     </q-drawer>
 
@@ -343,3 +343,12 @@ const filteredMenu = computed(() => {
 })
 </script>
 
+<style scoped>
+.drawer-scroll {
+  height: 100%;
+  overflow-y: auto;
+  -webkit-overflow-scrolling: touch;
+  touch-action: pan-y;
+}
+</style>
+

ui/src/pages/OrderProductionUpdate.vue

@@ -383,6 +383,10 @@ function normalizeShortCode (value, maxLen) {
   return String(value || '').trim().toUpperCase().slice(0, maxLen)
 }
 
+function isValidBaggiModelCode (code) {
+  return /^[A-Z][0-9]{3}-[A-Z]{3}[0-9]{5}$/.test(code)
+}
+
 function validateRowInput (row) {
   const newItemCode = String(row.NewItemCode || '').trim().toUpperCase()
   const newColor = normalizeShortCode(row.NewColor, 3)
@@ -391,7 +395,9 @@ function validateRowInput (row) {
   const oldDim2 = String(row.OldDim2 || '').trim()
 
   if (!newItemCode) return 'Yeni model kodu zorunludur.'
-  if (newItemCode.length !== 13) return 'Yeni model kodu 13 karakter olmalidir.'
+  if (!isValidBaggiModelCode(newItemCode)) {
+    return 'Girdiginiz yapi BAGGI kod yapisina uygun degildir. Format: X999-XXX99999'
+  }
   if (oldColor && !newColor) return 'Eski kayitta 1. renk oldugu icin yeni 1. renk zorunludur.'
   if (newColor && newColor.length !== 3) return 'Yeni 1. renk kodu 3 karakter olmalidir.'
   if (oldDim2 && !newDim2) return 'Eski kayitta 2. renk oldugu icin yeni 2. renk zorunludur.'