api/update_comment.php

<?php
/**
 * API endpoint for updating a comment
 */

// Disable error display in the output
ini_set('display_errors', 0);
error_reporting(E_ALL);

// Apply rate limiting
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

// Start output buffering
ob_start();

try {
    require_once dirname(__DIR__) . '/config/config.php';
    require_once dirname(__DIR__) . '/helpers/Database.php';
    require_once dirname(__DIR__) . '/models/CommentModel.php';
    require_once dirname(__DIR__) . '/models/TicketModel.php';
    require_once dirname(__DIR__) . '/models/AuditLogModel.php';

    // Check authentication via session
    if (session_status() === PHP_SESSION_NONE) {
        session_start();
    }
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        throw new Exception("Authentication required");
    }

    // CSRF Protection
    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
    if ($_SERVER['REQUEST_METHOD'] === 'POST' || $_SERVER['REQUEST_METHOD'] === 'PUT') {
        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!CsrfMiddleware::validateToken($csrfToken)) {
            http_response_code(403);
            header('Content-Type: application/json');
            echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
            exit;
        }
    }

    $currentUser = $_SESSION['user'];
    $userId = $currentUser['user_id'];
    $isAdmin = $currentUser['is_admin'] ?? false;

    // Use centralized database connection
    $conn = Database::getConnection();

    // Get POST/PUT data
    $data = json_decode(file_get_contents('php://input'), true);

    if (!$data || !isset($data['comment_id']) || !isset($data['comment_text'])) {
        throw new Exception("Missing required fields: comment_id, comment_text");
    }

    $commentId = (int)$data['comment_id'];
    $commentText = trim($data['comment_text']);
    $markdownEnabled = isset($data['markdown_enabled']) && $data['markdown_enabled'];

    if (empty($commentText)) {
        throw new Exception("Comment text cannot be empty");
    }

    // Initialize models
    $commentModel = new CommentModel($conn);
    $auditLog = new AuditLogModel($conn);

    // Verify user can access the parent ticket
    $comment = $commentModel->getCommentById($commentId);
    if ($comment) {
        $ticketModel = new TicketModel($conn);
        $ticket = $ticketModel->getTicketById($comment['ticket_id']);
        if (!$ticket || !$ticketModel->canUserAccessTicket($ticket, $currentUser)) {
            ob_end_clean();
            http_response_code(403);
            header('Content-Type: application/json');
            echo json_encode(['success' => false, 'error' => 'Access denied']);
            exit;
        }
    }

    // Update comment
    $result = $commentModel->updateComment($commentId, $commentText, $markdownEnabled, $userId, $isAdmin);

    // Log the update if successful
    if ($result['success']) {
        $auditLog->log(
            $userId,
            'update',
            'comment',
            (string)$commentId,
            ['comment_text_preview' => substr($commentText, 0, 100)]
        );
    }

    // Discard any unexpected output
    ob_end_clean();

    header('Content-Type: application/json');
    echo json_encode($result);

} catch (Exception $e) {
    ob_end_clean();
    error_log("Update comment API error: " . $e->getMessage());
    header('Content-Type: application/json');
    echo json_encode([
        'success' => false,
        'error' => 'An internal error occurred'
    ]);
}
feat: Comment edit/delete, auto-link URLs, markdown tables, mobile fixes - Add comment edit/delete functionality (owner or admin can modify) - Add edit/delete buttons to comments in TicketView - Create update_comment.php and delete_comment.php API endpoints - Add updateComment() and deleteComment() methods to CommentModel - Show "(edited)" indicator on modified comments - Add migration script for updated_at column - Auto-link URLs in plain text comments (non-markdown) - Add markdown table support with proper HTML rendering - Preserve code blocks during markdown parsing - Fix mobile UI elements showing on desktop (add display:none defaults) - Add mobile styles for CreateTicketView form elements - Stack status-priority-row on mobile devices - Update cache busters to v20260124e - Update Claude.md and README.md documentation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-24 16:59:29 -05:00			`<?php`
			`/**`
			`* API endpoint for updating a comment`
			`*/`

			`// Disable error display in the output`
			`ini_set('display_errors', 0);`
			`error_reporting(E_ALL);`

			`// Apply rate limiting`
			`require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';`
			`RateLimitMiddleware::apply('api');`

			`// Start output buffering`
			`ob_start();`

			`try {`
			`require_once dirname(__DIR__) . '/config/config.php';`
Add performance, security, and reliability improvements - Consolidate all 20 API files to use centralized Database helper - Add optimistic locking to ticket updates to prevent concurrent conflicts - Add caching to StatsModel (60s TTL) for dashboard performance - Add health check endpoint (api/health.php) for monitoring - Improve rate limit cleanup with cron script and efficient DirectoryIterator - Enable rate limit response headers (X-RateLimit-*) - Add audit logging for workflow transitions - Log Discord webhook failures instead of silencing - Fix visibility check on export_tickets.php - Add database migration system with performance indexes - Fix cron recurring tickets to use assignTicket method Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 14:39:13 -05:00			`require_once dirname(__DIR__) . '/helpers/Database.php';`
feat: Comment edit/delete, auto-link URLs, markdown tables, mobile fixes - Add comment edit/delete functionality (owner or admin can modify) - Add edit/delete buttons to comments in TicketView - Create update_comment.php and delete_comment.php API endpoints - Add updateComment() and deleteComment() methods to CommentModel - Show "(edited)" indicator on modified comments - Add migration script for updated_at column - Auto-link URLs in plain text comments (non-markdown) - Add markdown table support with proper HTML rendering - Preserve code blocks during markdown parsing - Fix mobile UI elements showing on desktop (add display:none defaults) - Add mobile styles for CreateTicketView form elements - Stack status-priority-row on mobile devices - Update cache busters to v20260124e - Update Claude.md and README.md documentation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-24 16:59:29 -05:00			`require_once dirname(__DIR__) . '/models/CommentModel.php';`
Audit fixes: security, dead code removal, API consolidation, JS dedup Security: - Fix IDOR in delete/update comment (add ticket visibility check) - XSS defense-in-depth in DashboardView active filters - Replace innerHTML with DOM construction in toast.js - Remove redundant real_escape_string in check_duplicates - Add rate limiting to get_template, download_attachment, audit_log, saved_filters, user_preferences endpoints Bug fixes: - Session timeout now reads from config instead of hardcoded 18000 - TicketController uses $GLOBALS['config'] instead of duplicate .env parsing - Add DISCORD_WEBHOOK_URL to centralized config - Cleanup script uses hashmap for O(1) ticket ID lookups Dead code removal (~100 lines): - Remove dead getTicketComments() from TicketModel (wrong bind_param type) - Remove dead getCategories()/getTypes() from DashboardController - Remove ~80 lines dead Discord webhook code from update_ticket API Consolidation: - Create api/bootstrap.php for shared API setup (auth, CSRF, rate limit) - Convert 6 API endpoints to use bootstrap - Extract escapeHtml/getTicketIdFromUrl into shared utils.js - Batch save for user preferences (1 request instead of 7) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-11 14:50:06 -05:00			`require_once dirname(__DIR__) . '/models/TicketModel.php';`
feat: Comment edit/delete, auto-link URLs, markdown tables, mobile fixes - Add comment edit/delete functionality (owner or admin can modify) - Add edit/delete buttons to comments in TicketView - Create update_comment.php and delete_comment.php API endpoints - Add updateComment() and deleteComment() methods to CommentModel - Show "(edited)" indicator on modified comments - Add migration script for updated_at column - Auto-link URLs in plain text comments (non-markdown) - Add markdown table support with proper HTML rendering - Preserve code blocks during markdown parsing - Fix mobile UI elements showing on desktop (add display:none defaults) - Add mobile styles for CreateTicketView form elements - Stack status-priority-row on mobile devices - Update cache busters to v20260124e - Update Claude.md and README.md documentation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-24 16:59:29 -05:00			`require_once dirname(__DIR__) . '/models/AuditLogModel.php';`

			`// Check authentication via session`
Integrate web_template design system and fix security/quality issues Security fixes: - Add HTTP method validation to delete_comment.php (block CSRF via GET) - Remove $_GET fallback in comment deletion (was CSRF bypass vector) - Guard session_start() with session_status() check across API files - Escape json_encode() data attributes with htmlspecialchars in views - Escape inline APP_TIMEZONE config values in DashboardView/TicketView - Validate timezone param against DateTimeZone::listIdentifiers() in index.php - Remove Database::escape() (was using real_escape_string, not safe) - Fix AttachmentModel hardcoded connection; inject via constructor Backend fixes: - Fix CommentModel bind_param type for ticket_id (s→i) - Fix buildCommentThread orphan parent guard - Fix StatsModel JOIN→LEFT JOIN so unassigned tickets aren't excluded - Add ticket ID validation in BulkOperationsModel before implode() - Add duplicate key retry in TicketModel::createTicket() for race conditions - Wrap SavedFiltersModel default filter changes in transactions - Add null result guards in WorkflowModel query methods Frontend JS: - Rewrite toast.js as lt.toast shim (base.js dependency) - Delegate escapeHtml() to lt.escHtml() - Rewrite keyboard-shortcuts.js using lt.keys.on() - Migrate settings.js to lt.api.* and lt.modal.open/close() - Migrate advanced-search.js to lt.api.* and lt.modal.open/close() - Migrate dashboard.js fetch calls to lt.api.*; update all dynamic modals (bulk ops, quick actions, confirm/input) to lt-modal structure - Migrate ticket.js fetchMentionUsers to lt.api.get() - Remove console.log/error/warn calls from JS files Views: - Add /web_template/base.css and base.js to all 10 view files - Call lt.keys.initDefaults() in DashboardView, TicketView, admin views - Migrate all modal HTML from settings-modal/settings-content to lt-modal-overlay/lt-modal/lt-modal-header/lt-modal-body/lt-modal-footer - Replace style="display:none" with aria-hidden="true" on all modals - Replace modal open/close style.display with lt.modal.open/close() - Update modal buttons to lt-btn lt-btn-primary/lt-btn-ghost classes - Remove manual ESC keydown handlers (replaced by lt.keys.initDefaults) - Fix unescaped timezone values in TicketView inline script Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-17 23:22:24 -04:00			`if (session_status() === PHP_SESSION_NONE) {`
			`session_start();`
			`}`
feat: Comment edit/delete, auto-link URLs, markdown tables, mobile fixes - Add comment edit/delete functionality (owner or admin can modify) - Add edit/delete buttons to comments in TicketView - Create update_comment.php and delete_comment.php API endpoints - Add updateComment() and deleteComment() methods to CommentModel - Show "(edited)" indicator on modified comments - Add migration script for updated_at column - Auto-link URLs in plain text comments (non-markdown) - Add markdown table support with proper HTML rendering - Preserve code blocks during markdown parsing - Fix mobile UI elements showing on desktop (add display:none defaults) - Add mobile styles for CreateTicketView form elements - Stack status-priority-row on mobile devices - Update cache busters to v20260124e - Update Claude.md and README.md documentation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-24 16:59:29 -05:00			`if (!isset($_SESSION['user']) \|\| !isset($_SESSION['user']['user_id'])) {`
			`throw new Exception("Authentication required");`
			`}`

			`// CSRF Protection`
			`require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST' \|\| $_SERVER['REQUEST_METHOD'] === 'PUT') {`
			`$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';`
			`if (!CsrfMiddleware::validateToken($csrfToken)) {`
			`http_response_code(403);`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);`
			`exit;`
			`}`
			`}`

			`$currentUser = $_SESSION['user'];`
			`$userId = $currentUser['user_id'];`
			`$isAdmin = $currentUser['is_admin'] ?? false;`

Add performance, security, and reliability improvements - Consolidate all 20 API files to use centralized Database helper - Add optimistic locking to ticket updates to prevent concurrent conflicts - Add caching to StatsModel (60s TTL) for dashboard performance - Add health check endpoint (api/health.php) for monitoring - Improve rate limit cleanup with cron script and efficient DirectoryIterator - Enable rate limit response headers (X-RateLimit-*) - Add audit logging for workflow transitions - Log Discord webhook failures instead of silencing - Fix visibility check on export_tickets.php - Add database migration system with performance indexes - Fix cron recurring tickets to use assignTicket method Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 14:39:13 -05:00			`// Use centralized database connection`
			`$conn = Database::getConnection();`
feat: Comment edit/delete, auto-link URLs, markdown tables, mobile fixes - Add comment edit/delete functionality (owner or admin can modify) - Add edit/delete buttons to comments in TicketView - Create update_comment.php and delete_comment.php API endpoints - Add updateComment() and deleteComment() methods to CommentModel - Show "(edited)" indicator on modified comments - Add migration script for updated_at column - Auto-link URLs in plain text comments (non-markdown) - Add markdown table support with proper HTML rendering - Preserve code blocks during markdown parsing - Fix mobile UI elements showing on desktop (add display:none defaults) - Add mobile styles for CreateTicketView form elements - Stack status-priority-row on mobile devices - Update cache busters to v20260124e - Update Claude.md and README.md documentation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-24 16:59:29 -05:00
			`// Get POST/PUT data`
			`$data = json_decode(file_get_contents('php://input'), true);`

			`if (!$data \|\| !isset($data['comment_id']) \|\| !isset($data['comment_text'])) {`
			`throw new Exception("Missing required fields: comment_id, comment_text");`
			`}`

			`$commentId = (int)$data['comment_id'];`
			`$commentText = trim($data['comment_text']);`
			`$markdownEnabled = isset($data['markdown_enabled']) && $data['markdown_enabled'];`

			`if (empty($commentText)) {`
			`throw new Exception("Comment text cannot be empty");`
			`}`

			`// Initialize models`
			`$commentModel = new CommentModel($conn);`
			`$auditLog = new AuditLogModel($conn);`

Audit fixes: security, dead code removal, API consolidation, JS dedup Security: - Fix IDOR in delete/update comment (add ticket visibility check) - XSS defense-in-depth in DashboardView active filters - Replace innerHTML with DOM construction in toast.js - Remove redundant real_escape_string in check_duplicates - Add rate limiting to get_template, download_attachment, audit_log, saved_filters, user_preferences endpoints Bug fixes: - Session timeout now reads from config instead of hardcoded 18000 - TicketController uses $GLOBALS['config'] instead of duplicate .env parsing - Add DISCORD_WEBHOOK_URL to centralized config - Cleanup script uses hashmap for O(1) ticket ID lookups Dead code removal (~100 lines): - Remove dead getTicketComments() from TicketModel (wrong bind_param type) - Remove dead getCategories()/getTypes() from DashboardController - Remove ~80 lines dead Discord webhook code from update_ticket API Consolidation: - Create api/bootstrap.php for shared API setup (auth, CSRF, rate limit) - Convert 6 API endpoints to use bootstrap - Extract escapeHtml/getTicketIdFromUrl into shared utils.js - Batch save for user preferences (1 request instead of 7) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-11 14:50:06 -05:00			`// Verify user can access the parent ticket`
			`$comment = $commentModel->getCommentById($commentId);`
			`if ($comment) {`
			`$ticketModel = new TicketModel($conn);`
			`$ticket = $ticketModel->getTicketById($comment['ticket_id']);`
			`if (!$ticket \|\| !$ticketModel->canUserAccessTicket($ticket, $currentUser)) {`
			`ob_end_clean();`
			`http_response_code(403);`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'Access denied']);`
			`exit;`
			`}`
			`}`

feat: Comment edit/delete, auto-link URLs, markdown tables, mobile fixes - Add comment edit/delete functionality (owner or admin can modify) - Add edit/delete buttons to comments in TicketView - Create update_comment.php and delete_comment.php API endpoints - Add updateComment() and deleteComment() methods to CommentModel - Show "(edited)" indicator on modified comments - Add migration script for updated_at column - Auto-link URLs in plain text comments (non-markdown) - Add markdown table support with proper HTML rendering - Preserve code blocks during markdown parsing - Fix mobile UI elements showing on desktop (add display:none defaults) - Add mobile styles for CreateTicketView form elements - Stack status-priority-row on mobile devices - Update cache busters to v20260124e - Update Claude.md and README.md documentation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-24 16:59:29 -05:00			`// Update comment`
			`$result = $commentModel->updateComment($commentId, $commentText, $markdownEnabled, $userId, $isAdmin);`

			`// Log the update if successful`
			`if ($result['success']) {`
			`$auditLog->log(`
			`$userId,`
			`'update',`
			`'comment',`
			`(string)$commentId,`
			`['comment_text_preview' => substr($commentText, 0, 100)]`
			`);`
			`}`

			`// Discard any unexpected output`
			`ob_end_clean();`

			`header('Content-Type: application/json');`
			`echo json_encode($result);`

			`} catch (Exception $e) {`
			`ob_end_clean();`
Fix error message disclosure in API endpoints Replace exception getMessage() exposure with generic error messages to prevent internal information disclosure. Errors are now logged with full details while clients receive sanitized responses. Affected endpoints: - add_comment, update_comment, delete_comment - update_ticket, export_tickets - generate_api_key, revoke_api_key - manage_templates, manage_workflows, manage_recurring - custom_fields, get_users Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 18:56:29 -05:00			`error_log("Update comment API error: " . $e->getMessage());`
feat: Comment edit/delete, auto-link URLs, markdown tables, mobile fixes - Add comment edit/delete functionality (owner or admin can modify) - Add edit/delete buttons to comments in TicketView - Create update_comment.php and delete_comment.php API endpoints - Add updateComment() and deleteComment() methods to CommentModel - Show "(edited)" indicator on modified comments - Add migration script for updated_at column - Auto-link URLs in plain text comments (non-markdown) - Add markdown table support with proper HTML rendering - Preserve code blocks during markdown parsing - Fix mobile UI elements showing on desktop (add display:none defaults) - Add mobile styles for CreateTicketView form elements - Stack status-priority-row on mobile devices - Update cache busters to v20260124e - Update Claude.md and README.md documentation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-24 16:59:29 -05:00			`header('Content-Type: application/json');`
			`echo json_encode([`
			`'success' => false,`
Fix error message disclosure in API endpoints Replace exception getMessage() exposure with generic error messages to prevent internal information disclosure. Errors are now logged with full details while clients receive sanitized responses. Affected endpoints: - add_comment, update_comment, delete_comment - update_ticket, export_tickets - generate_api_key, revoke_api_key - manage_templates, manage_workflows, manage_recurring - custom_fields, get_users Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 18:56:29 -05:00			`'error' => 'An internal error occurred'`
feat: Comment edit/delete, auto-link URLs, markdown tables, mobile fixes - Add comment edit/delete functionality (owner or admin can modify) - Add edit/delete buttons to comments in TicketView - Create update_comment.php and delete_comment.php API endpoints - Add updateComment() and deleteComment() methods to CommentModel - Show "(edited)" indicator on modified comments - Add migration script for updated_at column - Auto-link URLs in plain text comments (non-markdown) - Add markdown table support with proper HTML rendering - Preserve code blocks during markdown parsing - Fix mobile UI elements showing on desktop (add display:none defaults) - Add mobile styles for CreateTicketView form elements - Stack status-priority-row on mobile devices - Update cache busters to v20260124e - Update Claude.md and README.md documentation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-24 16:59:29 -05:00			`]);`
			`}`