The document repository (Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Nieto2020/portalhub/llms.txt
Use this file to discover all available pages before exploring further.
modules/documentos/) is the central file store for the consultancy portal. Clients upload their accounting files, advisors and admins can attach documents to any assigned client’s record, and every file is tracked with a version number so historical uploads are never silently overwritten. XML files receive an automatic CFDI validation flag on upload, supporting Mexican fiscal compliance workflows.
Document Record Fields
Every uploaded file creates a row in thedocumentos table with the following structure:
| Column | Type | Description |
|---|---|---|
id_documento | int | Auto-increment primary key |
id_usuario_propietario | int (FK) | Owner of the document (usually the client) |
id_tipo_doc | int (FK) | References cat_tipos_documentos catalogue |
ruta_archivo | string | Relative path on disk under uploads/ |
nombre_original | string | Original filename as submitted by the user |
version | int | Increments with each re-upload of the same filename and type |
validacion_cfdi | bool | 1 if the file is an XML CFDI; 0 otherwise |
fecha_subida | datetime | Server timestamp of the upload |
Uploading a Document
Endpoint:POST modules/documentos/subir.php (multipart/form-data)
subir.php is the primary upload handler. It enforces a 10 MB size limit, a strict allowlist of extensions and MIME types, path-traversal prevention via basename(), and file-name obfuscation on disk using bin2hex(random_bytes(16)).
Allowed file types:
| Extension | Expected MIME Type |
|---|---|
pdf | application/pdf |
xml | text/xml or application/xml |
doc | application/msword |
docx | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
xls | application/vnd.ms-excel |
xlsx | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
jpg | image/jpeg or image/pjpeg |
png | image/png |
| Field | Required | Description |
|---|---|---|
archivo | Yes | The file binary (multipart/form-data) |
id_tipo_doc | Yes | Document type ID from the cat_tipos_documentos catalogue |
id_cliente | Admin/Asesor only | Client to upload on behalf of; not required for clients uploading their own files |
- cURL Example
- Success Response (201)
- MIME Mismatch (400)
Automatic Versioning
Before saving a new file,subir.php queries the highest existing version number for the same owner, document type, and original filename:
n+1) while the previous version’s file and record remain intact.
CFDI Validation Flag
When the uploaded file has an.xml extension, validacion_cfdi is automatically set to 1:
Role-Based Upload Permissions
| Role | Behaviour |
|---|---|
ROL_CLIENTE (3) | Can upload only to their own record; id_usuario_propietario is set from the session |
ROL_ASESOR (2) | Must supply id_cliente; the system verifies an active assignment exists in cliente_asesor before allowing the upload |
ROL_ADMIN (1) | Can upload to any client by providing id_cliente |
Listing Documents
Endpoint:GET modules/documentos/listar.php
Returns all document records visible to the logged-in user, joined with cat_tipos_documentos and usuarios to include the type name and owner email.
| Role | Filter Applied |
|---|---|
ROL_CLIENTE (3) | Only rows where id_usuario_propietario = id_usuario |
ROL_ASESOR (2) | Documents owned by any client in their active cliente_asesor assignments |
ROL_ADMIN (1) | All documents |
Downloading a Document
Endpoint:GET modules/documentos/descargar.php?id={id_documento}
descargar.php resolves the physical path from the ruta_archivo column and streams the file to the client using readfile() with appropriate Content-Disposition: attachment headers. The original filename (not the hashed disk name) is used in the Content-Disposition header.
Access is gated by the same ownership rules as listing:
Fetch Document Record
The document row is loaded by
id_documento. A 404 is returned if it does not exist.Permission Check
- Admin: always permitted
- Client: permitted only if
id_usuario_propietariomatches the session user - Asesor: permitted only if the document owner is an actively assigned client
File Existence Check
The resolved path is verified with
file_exists(). If the physical file is missing, 404 is returned.Uploads Directory Security
Theuploads/ directory is protected by an .htaccess file that prevents direct web access to uploaded files. All downloads must go through descargar.php, which enforces authentication and authorization before streaming any file.
Registering Document Metadata Directly
Endpoint:modules/documentos/registrar.php
registrar.php is a lower-level utility for inserting a document record into the documentos table without a multipart file upload. It accepts values directly for id_usuario_propietario, id_tipo_doc, ruta_archivo, version, and validacion_cfdi, and returns the new id_documento on success. This script is intended for programmatic or batch-registration scenarios where the file has already been placed on disk by other means.
Deleting a Document
Endpoint:modules/documentos/eliminar.php
eliminar.php removes a document record from the documentos table by id_documento:
200 with the message "Documento eliminado correctamente". On database error it returns 500.
Post-Upload Notifications
After a successful upload,subir.php uses NotificationService to alert the relevant party:
- Client uploads → the client’s active advisor is notified with event type
"Documento". - Advisor or admin uploads → the document owner (client) is notified.
NotificationService API.