api/custom_fields.php

<?php
/**
 * Custom Fields Management API
 * CRUD operations for custom field definitions
 */

ini_set('display_errors', 0);
error_reporting(E_ALL);

require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

try {
    require_once dirname(__DIR__) . '/config/config.php';
    require_once dirname(__DIR__) . '/models/CustomFieldModel.php';

    // Check authentication
    session_start();
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        http_response_code(401);
        echo json_encode(['success' => false, 'error' => 'Authentication required']);
        exit;
    }

    // Check admin privileges for write operations
    if ($_SERVER['REQUEST_METHOD'] !== 'GET' && !$_SESSION['user']['is_admin']) {
        http_response_code(403);
        echo json_encode(['success' => false, 'error' => 'Admin privileges required']);
        exit;
    }

    // CSRF Protection for write operations
    if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
        require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!CsrfMiddleware::validateToken($csrfToken)) {
            http_response_code(403);
            echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
            exit;
        }
    }

    $conn = new mysqli(
        $GLOBALS['config']['DB_HOST'],
        $GLOBALS['config']['DB_USER'],
        $GLOBALS['config']['DB_PASS'],
        $GLOBALS['config']['DB_NAME']
    );

    if ($conn->connect_error) {
        throw new Exception("Database connection failed");
    }

    header('Content-Type: application/json');

    $model = new CustomFieldModel($conn);
    $method = $_SERVER['REQUEST_METHOD'];
    $id = isset($_GET['id']) ? (int)$_GET['id'] : null;
    $category = isset($_GET['category']) ? $_GET['category'] : null;

    switch ($method) {
        case 'GET':
            if ($id) {
                $field = $model->getDefinition($id);
                echo json_encode(['success' => (bool)$field, 'field' => $field]);
            } else {
                // Get all definitions, optionally filtered by category
                $activeOnly = !isset($_GET['include_inactive']);
                $fields = $model->getAllDefinitions($category, $activeOnly);
                echo json_encode(['success' => true, 'fields' => $fields]);
            }
            break;

        case 'POST':
            $data = json_decode(file_get_contents('php://input'), true);
            $result = $model->createDefinition($data);
            echo json_encode($result);
            break;

        case 'PUT':
            if (!$id) {
                echo json_encode(['success' => false, 'error' => 'ID required']);
                exit;
            }

            $data = json_decode(file_get_contents('php://input'), true);
            $result = $model->updateDefinition($id, $data);
            echo json_encode($result);
            break;

        case 'DELETE':
            if (!$id) {
                echo json_encode(['success' => false, 'error' => 'ID required']);
                exit;
            }

            $result = $model->deleteDefinition($id);
            echo json_encode($result);
            break;

        default:
            http_response_code(405);
            echo json_encode(['success' => false, 'error' => 'Method not allowed']);
    }

    $conn->close();

} catch (Exception $e) {
    http_response_code(500);
    echo json_encode(['success' => false, 'error' => $e->getMessage()]);
}
Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`<?php`
			`/**`
			`* Custom Fields Management API`
			`* CRUD operations for custom field definitions`
			`*/`

			`ini_set('display_errors', 0);`
			`error_reporting(E_ALL);`

			`require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';`
			`RateLimitMiddleware::apply('api');`

			`try {`
			`require_once dirname(__DIR__) . '/config/config.php';`
			`require_once dirname(__DIR__) . '/models/CustomFieldModel.php';`

			`// Check authentication`
			`session_start();`
			`if (!isset($_SESSION['user']) \|\| !isset($_SESSION['user']['user_id'])) {`
			`http_response_code(401);`
			`echo json_encode(['success' => false, 'error' => 'Authentication required']);`
			`exit;`
			`}`

			`// Check admin privileges for write operations`
			`if ($_SERVER['REQUEST_METHOD'] !== 'GET' && !$_SESSION['user']['is_admin']) {`
			`http_response_code(403);`
			`echo json_encode(['success' => false, 'error' => 'Admin privileges required']);`
			`exit;`
			`}`

			`// CSRF Protection for write operations`
			`if ($_SERVER['REQUEST_METHOD'] !== 'GET') {`
			`require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';`
			`$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';`
			`if (!CsrfMiddleware::validateToken($csrfToken)) {`
			`http_response_code(403);`
			`echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);`
			`exit;`
			`}`
			`}`

			`$conn = new mysqli(`
			`$GLOBALS['config']['DB_HOST'],`
			`$GLOBALS['config']['DB_USER'],`
			`$GLOBALS['config']['DB_PASS'],`
			`$GLOBALS['config']['DB_NAME']`
			`);`

			`if ($conn->connect_error) {`
			`throw new Exception("Database connection failed");`
			`}`

			`header('Content-Type: application/json');`

			`$model = new CustomFieldModel($conn);`
			`$method = $_SERVER['REQUEST_METHOD'];`
			`$id = isset($_GET['id']) ? (int)$_GET['id'] : null;`
			`$category = isset($_GET['category']) ? $_GET['category'] : null;`

			`switch ($method) {`
			`case 'GET':`
			`if ($id) {`
			`$field = $model->getDefinition($id);`
			`echo json_encode(['success' => (bool)$field, 'field' => $field]);`
			`} else {`
			`// Get all definitions, optionally filtered by category`
			`$activeOnly = !isset($_GET['include_inactive']);`
			`$fields = $model->getAllDefinitions($category, $activeOnly);`
			`echo json_encode(['success' => true, 'fields' => $fields]);`
			`}`
			`break;`

			`case 'POST':`
			`$data = json_decode(file_get_contents('php://input'), true);`
			`$result = $model->createDefinition($data);`
			`echo json_encode($result);`
			`break;`

			`case 'PUT':`
			`if (!$id) {`
			`echo json_encode(['success' => false, 'error' => 'ID required']);`
			`exit;`
			`}`

			`$data = json_decode(file_get_contents('php://input'), true);`
			`$result = $model->updateDefinition($id, $data);`
			`echo json_encode($result);`
			`break;`

			`case 'DELETE':`
			`if (!$id) {`
			`echo json_encode(['success' => false, 'error' => 'ID required']);`
			`exit;`
			`}`

			`$result = $model->deleteDefinition($id);`
			`echo json_encode($result);`
			`break;`

			`default:`
			`http_response_code(405);`
			`echo json_encode(['success' => false, 'error' => 'Method not allowed']);`
			`}`

			`$conn->close();`

			`} catch (Exception $e) {`
			`http_response_code(500);`
			`echo json_encode(['success' => false, 'error' => $e->getMessage()]);`
			`}`