api/custom_fields.php

<?php
/**
 * Custom Fields Management API
 * CRUD operations for custom field definitions
 */

ini_set('display_errors', 0);
error_reporting(E_ALL);

require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

try {
    require_once dirname(__DIR__) . '/config/config.php';
    require_once dirname(__DIR__) . '/helpers/Database.php';
    require_once dirname(__DIR__) . '/models/CustomFieldModel.php';

    // Check authentication
    if (session_status() === PHP_SESSION_NONE) session_start();
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        http_response_code(401);
        echo json_encode(['success' => false, 'error' => 'Authentication required']);
        exit;
    }

    // Check admin privileges for write operations
    if ($_SERVER['REQUEST_METHOD'] !== 'GET' && !$_SESSION['user']['is_admin']) {
        http_response_code(403);
        echo json_encode(['success' => false, 'error' => 'Admin privileges required']);
        exit;
    }

    // CSRF Protection for write operations
    if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
        require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!CsrfMiddleware::validateToken($csrfToken)) {
            http_response_code(403);
            echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
            exit;
        }
    }

    // Use centralized database connection
    $conn = Database::getConnection();

    header('Content-Type: application/json');

    $model = new CustomFieldModel($conn);
    $method = $_SERVER['REQUEST_METHOD'];
    $id = isset($_GET['id']) ? (int)$_GET['id'] : null;
    $category = isset($_GET['category']) ? $_GET['category'] : null;

    switch ($method) {
        case 'GET':
            if ($id) {
                $field = $model->getDefinition($id);
                echo json_encode(['success' => (bool)$field, 'field' => $field]);
            } else {
                // Get all definitions, optionally filtered by category
                $activeOnly = !isset($_GET['include_inactive']);
                $fields = $model->getAllDefinitions($category, $activeOnly);
                echo json_encode(['success' => true, 'fields' => $fields]);
            }
            break;

        case 'POST':
            $data = json_decode(file_get_contents('php://input'), true);
            if (!is_array($data)) {
                http_response_code(400);
                echo json_encode(['success' => false, 'error' => 'Invalid JSON']);
                exit;
            }
            $result = $model->createDefinition($data);
            echo json_encode($result);
            break;

        case 'PUT':
            if (!$id) {
                http_response_code(400);
                echo json_encode(['success' => false, 'error' => 'ID required']);
                exit;
            }

            $data = json_decode(file_get_contents('php://input'), true);
            if (!is_array($data)) {
                http_response_code(400);
                echo json_encode(['success' => false, 'error' => 'Invalid JSON']);
                exit;
            }
            $result = $model->updateDefinition($id, $data);
            echo json_encode($result);
            break;

        case 'DELETE':
            if (!$id) {
                http_response_code(400);
                echo json_encode(['success' => false, 'error' => 'ID required']);
                exit;
            }

            $result = $model->deleteDefinition($id);
            echo json_encode($result);
            break;

        default:
            http_response_code(405);
            echo json_encode(['success' => false, 'error' => 'Method not allowed']);
    }

} catch (Exception $e) {
    error_log("Custom fields API error: " . $e->getMessage());
    http_response_code(500);
    echo json_encode(['success' => false, 'error' => 'An internal error occurred']);
}
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`<?php`
			`/**`
			`* Custom Fields Management API`
			`* CRUD operations for custom field definitions`
			`*/`

			`ini_set('display_errors', 0);`
			`error_reporting(E_ALL);`

			`require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';`
			`RateLimitMiddleware::apply('api');`

			`try {`
			`require_once dirname(__DIR__) . '/config/config.php';`
Add performance, security, and reliability improvements 2026-01-30 14:39:13 -05:00			`require_once dirname(__DIR__) . '/helpers/Database.php';`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`require_once dirname(__DIR__) . '/models/CustomFieldModel.php';`

			`// Check authentication`
Fix session_start guards, add missing API routes, rewrite README 2026-04-05 17:52:07 -04:00			`if (session_status() === PHP_SESSION_NONE) session_start();`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`if (!isset($_SESSION['user']) \|\| !isset($_SESSION['user']['user_id'])) {`
			`http_response_code(401);`
			`echo json_encode(['success' => false, 'error' => 'Authentication required']);`
			`exit;`
			`}`

			`// Check admin privileges for write operations`
			`if ($_SERVER['REQUEST_METHOD'] !== 'GET' && !$_SESSION['user']['is_admin']) {`
			`http_response_code(403);`
			`echo json_encode(['success' => false, 'error' => 'Admin privileges required']);`
			`exit;`
			`}`

			`// CSRF Protection for write operations`
			`if ($_SERVER['REQUEST_METHOD'] !== 'GET') {`
			`require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';`
			`$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';`
			`if (!CsrfMiddleware::validateToken($csrfToken)) {`
			`http_response_code(403);`
			`echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);`
			`exit;`
			`}`
			`}`

Add performance, security, and reliability improvements 2026-01-30 14:39:13 -05:00			`// Use centralized database connection`
			`$conn = Database::getConnection();`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00
			`header('Content-Type: application/json');`

			`$model = new CustomFieldModel($conn);`
			`$method = $_SERVER['REQUEST_METHOD'];`
			`$id = isset($_GET['id']) ? (int)$_GET['id'] : null;`
			`$category = isset($_GET['category']) ? $_GET['category'] : null;`

			`switch ($method) {`
			`case 'GET':`
			`if ($id) {`
			`$field = $model->getDefinition($id);`
			`echo json_encode(['success' => (bool)$field, 'field' => $field]);`
			`} else {`
			`// Get all definitions, optionally filtered by category`
			`$activeOnly = !isset($_GET['include_inactive']);`
			`$fields = $model->getAllDefinitions($category, $activeOnly);`
			`echo json_encode(['success' => true, 'fields' => $fields]);`
			`}`
			`break;`

			`case 'POST':`
			`$data = json_decode(file_get_contents('php://input'), true);`
Security: add authorization checks to ticket_dependencies API 2026-03-29 18:26:01 -04:00			`if (!is_array($data)) {`
			`http_response_code(400);`
			`echo json_encode(['success' => false, 'error' => 'Invalid JSON']);`
			`exit;`
			`}`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`$result = $model->createDefinition($data);`
			`echo json_encode($result);`
			`break;`

			`case 'PUT':`
			`if (!$id) {`
Security: add authorization checks to ticket_dependencies API 2026-03-29 18:26:01 -04:00			`http_response_code(400);`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`echo json_encode(['success' => false, 'error' => 'ID required']);`
			`exit;`
			`}`

			`$data = json_decode(file_get_contents('php://input'), true);`
Security: add authorization checks to ticket_dependencies API 2026-03-29 18:26:01 -04:00			`if (!is_array($data)) {`
			`http_response_code(400);`
			`echo json_encode(['success' => false, 'error' => 'Invalid JSON']);`
			`exit;`
			`}`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`$result = $model->updateDefinition($id, $data);`
			`echo json_encode($result);`
			`break;`

			`case 'DELETE':`
			`if (!$id) {`
Security: add authorization checks to ticket_dependencies API 2026-03-29 18:26:01 -04:00			`http_response_code(400);`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`echo json_encode(['success' => false, 'error' => 'ID required']);`
			`exit;`
			`}`

			`$result = $model->deleteDefinition($id);`
			`echo json_encode($result);`
			`break;`

			`default:`
			`http_response_code(405);`
			`echo json_encode(['success' => false, 'error' => 'Method not allowed']);`
			`}`

			`} catch (Exception $e) {`
Fix error message disclosure in API endpoints 2026-01-30 18:56:29 -05:00			`error_log("Custom fields API error: " . $e->getMessage());`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`http_response_code(500);`
Fix error message disclosure in API endpoints 2026-01-30 18:56:29 -05:00			`echo json_encode(['success' => false, 'error' => 'An internal error occurred']);`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`}`