api/manage_templates.php

<?php

/**
 * Template Management API
 * CRUD operations for ticket_templates table
 */

ini_set('display_errors', 0);
error_reporting(E_ALL);

require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

try {
    require_once dirname(__DIR__) . '/config/config.php';
    require_once dirname(__DIR__) . '/helpers/Database.php';

    // Check authentication
    if (session_status() === PHP_SESSION_NONE) {
        session_start();
    }
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        http_response_code(401);
        echo json_encode(['success' => false, 'error' => 'Authentication required']);
        exit;
    }

    // Check admin privileges for write operations
    if ($_SERVER['REQUEST_METHOD'] !== 'GET' && !$_SESSION['user']['is_admin']) {
        http_response_code(403);
        echo json_encode(['success' => false, 'error' => 'Admin privileges required']);
        exit;
    }

    // CSRF Protection for write operations
    if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
        require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!CsrfMiddleware::validateToken($csrfToken)) {
            http_response_code(403);
            echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
            exit;
        }
    }

    // Use centralized database connection
    $conn = Database::getConnection();

    header('Content-Type: application/json');

    $method = $_SERVER['REQUEST_METHOD'];
    $id = isset($_GET['id']) ? (int)$_GET['id'] : null;

    switch ($method) {
        case 'GET':
            if ($id) {
                // Get single template
                $stmt = $conn->prepare("SELECT * FROM ticket_templates WHERE template_id = ?");
                $stmt->bind_param('i', $id);
                $stmt->execute();
                $result = $stmt->get_result();
                $template = $result->fetch_assoc();
                $stmt->close();
                echo json_encode(['success' => true, 'template' => $template]);
            } else {
                // Get all templates
                $result = $conn->query("SELECT * FROM ticket_templates ORDER BY template_name");
                $templates = [];
                while ($row = $result->fetch_assoc()) {
                    $templates[] = $row;
                }
                echo json_encode(['success' => true, 'templates' => $templates]);
            }
            break;

        case 'POST':
            $data = json_decode(file_get_contents('php://input'), true);

            // Validate required fields and lengths
            $templateName = trim($data['template_name'] ?? '');
            $titleTemplate = trim($data['title_template'] ?? '');
            if (!$templateName || mb_strlen($templateName) > 100) {
                echo json_encode(['success' => false, 'error' => 'Template name is required (max 100 chars)']);
                exit;
            }
            if (!$titleTemplate || mb_strlen($titleTemplate) > 255) {
                echo json_encode(['success' => false, 'error' => 'Title template is required (max 255 chars)']);
                exit;
            }
            $allowedCategories = ['General','Hardware','Software','Network','Security'];
            $allowedTypes      = ['Issue','Maintenance','Install','Task','Upgrade','Problem'];
            $category = in_array($data['category'] ?? '', $allowedCategories) ? $data['category'] : 'General';
            $type     = in_array($data['type'] ?? '', $allowedTypes)      ? $data['type']     : 'Issue';
            $priority = max(1, min(5, (int)($data['default_priority'] ?? 4)));
            $isActive = $data['is_active'] ? 1 : 0;
            $description = mb_substr($data['description_template'] ?? '', 0, 65535);

            $stmt = $conn->prepare("INSERT INTO ticket_templates
                                    (template_name, title_template, description_template, category, type, default_priority, is_active)
                                    VALUES (?, ?, ?, ?, ?, ?, ?)");
            $stmt->bind_param(
                'sssssii',
                $templateName,
                $titleTemplate,
                $description,
                $category,
                $type,
                $priority,
                $isActive
            );

            if ($stmt->execute()) {
                echo json_encode(['success' => true, 'template_id' => $conn->insert_id]);
            } else {
                error_log("Template creation failed: " . $stmt->error);
                echo json_encode(['success' => false, 'error' => 'Failed to create template']);
            }
            $stmt->close();
            break;

        case 'PUT':
            if (!$id) {
                echo json_encode(['success' => false, 'error' => 'ID required']);
                exit;
            }

            $data = json_decode(file_get_contents('php://input'), true);

            // Validate required fields and lengths
            $templateName = trim($data['template_name'] ?? '');
            $titleTemplate = trim($data['title_template'] ?? '');
            if (!$templateName || mb_strlen($templateName) > 100) {
                echo json_encode(['success' => false, 'error' => 'Template name is required (max 100 chars)']);
                exit;
            }
            if (!$titleTemplate || mb_strlen($titleTemplate) > 255) {
                echo json_encode(['success' => false, 'error' => 'Title template is required (max 255 chars)']);
                exit;
            }
            $allowedCategories = ['General','Hardware','Software','Network','Security'];
            $allowedTypes      = ['Issue','Maintenance','Install','Task','Upgrade','Problem'];
            $category = in_array($data['category'] ?? '', $allowedCategories) ? $data['category'] : 'General';
            $type     = in_array($data['type'] ?? '', $allowedTypes)      ? $data['type']     : 'Issue';
            $priority = max(1, min(5, (int)($data['default_priority'] ?? 4)));
            $isActive = $data['is_active'] ? 1 : 0;
            $description = mb_substr($data['description_template'] ?? '', 0, 65535);

            $stmt = $conn->prepare("UPDATE ticket_templates SET
                                    template_name = ?, title_template = ?, description_template = ?,
                                    category = ?, type = ?, default_priority = ?, is_active = ?
                                    WHERE template_id = ?");
            $stmt->bind_param(
                'sssssiii',
                $templateName,
                $titleTemplate,
                $description,
                $category,
                $type,
                $priority,
                $isActive,
                $id
            );

            echo json_encode(['success' => $stmt->execute()]);
            $stmt->close();
            break;

        case 'DELETE':
            if (!$id) {
                echo json_encode(['success' => false, 'error' => 'ID required']);
                exit;
            }

            $stmt = $conn->prepare("DELETE FROM ticket_templates WHERE template_id = ?");
            $stmt->bind_param('i', $id);
            echo json_encode(['success' => $stmt->execute()]);
            $stmt->close();
            break;

        default:
            http_response_code(405);
            echo json_encode(['success' => false, 'error' => 'Method not allowed']);
    }
} catch (Exception $e) {
    error_log("Template API error: " . $e->getMessage());
    http_response_code(500);
    echo json_encode(['success' => false, 'error' => 'An internal error occurred']);
}
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`<?php`
style: auto-fix 1340 phpcs PSR-12 violations via phpcbf; exclude MissingNamespace and SideEffects 2026-04-13 20:56:10 -04:00
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`/**`
			`* Template Management API`
			`* CRUD operations for ticket_templates table`
			`*/`

			`ini_set('display_errors', 0);`
			`error_reporting(E_ALL);`

			`require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';`
			`RateLimitMiddleware::apply('api');`

			`try {`
			`require_once dirname(__DIR__) . '/config/config.php';`
Add performance, security, and reliability improvements 2026-01-30 14:39:13 -05:00			`require_once dirname(__DIR__) . '/helpers/Database.php';`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00
			`// Check authentication`
style: auto-fix 1340 phpcs PSR-12 violations via phpcbf; exclude MissingNamespace and SideEffects 2026-04-13 20:56:10 -04:00			`if (session_status() === PHP_SESSION_NONE) {`
			`session_start();`
			`}`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`if (!isset($_SESSION['user']) \|\| !isset($_SESSION['user']['user_id'])) {`
			`http_response_code(401);`
			`echo json_encode(['success' => false, 'error' => 'Authentication required']);`
			`exit;`
			`}`

			`// Check admin privileges for write operations`
			`if ($_SERVER['REQUEST_METHOD'] !== 'GET' && !$_SESSION['user']['is_admin']) {`
			`http_response_code(403);`
			`echo json_encode(['success' => false, 'error' => 'Admin privileges required']);`
			`exit;`
			`}`

			`// CSRF Protection for write operations`
			`if ($_SERVER['REQUEST_METHOD'] !== 'GET') {`
			`require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';`
			`$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';`
			`if (!CsrfMiddleware::validateToken($csrfToken)) {`
			`http_response_code(403);`
			`echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);`
			`exit;`
			`}`
			`}`

Add performance, security, and reliability improvements 2026-01-30 14:39:13 -05:00			`// Use centralized database connection`
			`$conn = Database::getConnection();`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00
			`header('Content-Type: application/json');`

			`$method = $_SERVER['REQUEST_METHOD'];`
			`$id = isset($_GET['id']) ? (int)$_GET['id'] : null;`

			`switch ($method) {`
			`case 'GET':`
			`if ($id) {`
			`// Get single template`
			`$stmt = $conn->prepare("SELECT * FROM ticket_templates WHERE template_id = ?");`
			`$stmt->bind_param('i', $id);`
			`$stmt->execute();`
			`$result = $stmt->get_result();`
			`$template = $result->fetch_assoc();`
			`$stmt->close();`
			`echo json_encode(['success' => true, 'template' => $template]);`
			`} else {`
			`// Get all templates`
			`$result = $conn->query("SELECT * FROM ticket_templates ORDER BY template_name");`
			`$templates = [];`
			`while ($row = $result->fetch_assoc()) {`
			`$templates[] = $row;`
			`}`
			`echo json_encode(['success' => true, 'templates' => $templates]);`
			`}`
			`break;`

			`case 'POST':`
			`$data = json_decode(file_get_contents('php://input'), true);`

Harden attachment deletion and template CRUD validation 2026-03-28 13:41:22 -04:00			`// Validate required fields and lengths`
			`$templateName = trim($data['template_name'] ?? '');`
			`$titleTemplate = trim($data['title_template'] ?? '');`
			`if (!$templateName \|\| mb_strlen($templateName) > 100) {`
			`echo json_encode(['success' => false, 'error' => 'Template name is required (max 100 chars)']);`
			`exit;`
			`}`
			`if (!$titleTemplate \|\| mb_strlen($titleTemplate) > 255) {`
			`echo json_encode(['success' => false, 'error' => 'Title template is required (max 255 chars)']);`
			`exit;`
			`}`
			`$allowedCategories = ['General','Hardware','Software','Network','Security'];`
			`$allowedTypes = ['Issue','Maintenance','Install','Task','Upgrade','Problem'];`
			`$category = in_array($data['category'] ?? '', $allowedCategories) ? $data['category'] : 'General';`
			`$type = in_array($data['type'] ?? '', $allowedTypes) ? $data['type'] : 'Issue';`
			`$priority = max(1, min(5, (int)($data['default_priority'] ?? 4)));`
			`$isActive = $data['is_active'] ? 1 : 0;`
			`$description = mb_substr($data['description_template'] ?? '', 0, 65535);`

Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`$stmt = $conn->prepare("INSERT INTO ticket_templates`
Fix template priority field name and improve admin form styling 2026-01-26 11:21:29 -05:00			`(template_name, title_template, description_template, category, type, default_priority, is_active)`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`VALUES (?, ?, ?, ?, ?, ?, ?)");`
style: auto-fix 1340 phpcs PSR-12 violations via phpcbf; exclude MissingNamespace and SideEffects 2026-04-13 20:56:10 -04:00			`$stmt->bind_param(`
			`'sssssii',`
Harden attachment deletion and template CRUD validation 2026-03-28 13:41:22 -04:00			`$templateName,`
			`$titleTemplate,`
			`$description,`
			`$category,`
			`$type,`
			`$priority,`
			`$isActive`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`);`

			`if ($stmt->execute()) {`
			`echo json_encode(['success' => true, 'template_id' => $conn->insert_id]);`
			`} else {`
Fix error message disclosure in API endpoints 2026-01-30 18:56:29 -05:00			`error_log("Template creation failed: " . $stmt->error);`
			`echo json_encode(['success' => false, 'error' => 'Failed to create template']);`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`}`
			`$stmt->close();`
			`break;`

			`case 'PUT':`
			`if (!$id) {`
			`echo json_encode(['success' => false, 'error' => 'ID required']);`
			`exit;`
			`}`

			`$data = json_decode(file_get_contents('php://input'), true);`

Harden attachment deletion and template CRUD validation 2026-03-28 13:41:22 -04:00			`// Validate required fields and lengths`
			`$templateName = trim($data['template_name'] ?? '');`
			`$titleTemplate = trim($data['title_template'] ?? '');`
			`if (!$templateName \|\| mb_strlen($templateName) > 100) {`
			`echo json_encode(['success' => false, 'error' => 'Template name is required (max 100 chars)']);`
			`exit;`
			`}`
			`if (!$titleTemplate \|\| mb_strlen($titleTemplate) > 255) {`
			`echo json_encode(['success' => false, 'error' => 'Title template is required (max 255 chars)']);`
			`exit;`
			`}`
			`$allowedCategories = ['General','Hardware','Software','Network','Security'];`
			`$allowedTypes = ['Issue','Maintenance','Install','Task','Upgrade','Problem'];`
			`$category = in_array($data['category'] ?? '', $allowedCategories) ? $data['category'] : 'General';`
			`$type = in_array($data['type'] ?? '', $allowedTypes) ? $data['type'] : 'Issue';`
			`$priority = max(1, min(5, (int)($data['default_priority'] ?? 4)));`
			`$isActive = $data['is_active'] ? 1 : 0;`
			`$description = mb_substr($data['description_template'] ?? '', 0, 65535);`

Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`$stmt = $conn->prepare("UPDATE ticket_templates SET`
			`template_name = ?, title_template = ?, description_template = ?,`
Fix template priority field name and improve admin form styling 2026-01-26 11:21:29 -05:00			`category = ?, type = ?, default_priority = ?, is_active = ?`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`WHERE template_id = ?");`
style: auto-fix 1340 phpcs PSR-12 violations via phpcbf; exclude MissingNamespace and SideEffects 2026-04-13 20:56:10 -04:00			`$stmt->bind_param(`
			`'sssssiii',`
Harden attachment deletion and template CRUD validation 2026-03-28 13:41:22 -04:00			`$templateName,`
			`$titleTemplate,`
			`$description,`
			`$category,`
			`$type,`
			`$priority,`
			`$isActive,`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`$id`
			`);`

			`echo json_encode(['success' => $stmt->execute()]);`
			`$stmt->close();`
			`break;`

			`case 'DELETE':`
			`if (!$id) {`
			`echo json_encode(['success' => false, 'error' => 'ID required']);`
			`exit;`
			`}`

			`$stmt = $conn->prepare("DELETE FROM ticket_templates WHERE template_id = ?");`
			`$stmt->bind_param('i', $id);`
			`echo json_encode(['success' => $stmt->execute()]);`
			`$stmt->close();`
			`break;`

			`default:`
			`http_response_code(405);`
			`echo json_encode(['success' => false, 'error' => 'Method not allowed']);`
			`}`
			`} catch (Exception $e) {`
Fix error message disclosure in API endpoints 2026-01-30 18:56:29 -05:00			`error_log("Template API error: " . $e->getMessage());`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`http_response_code(500);`
Fix error message disclosure in API endpoints 2026-01-30 18:56:29 -05:00			`echo json_encode(['success' => false, 'error' => 'An internal error occurred']);`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`}`