api/download_attachment.php

<?php
/**
 * Download Attachment API
 *
 * Serves file downloads for ticket attachments
 */

session_start();
require_once dirname(__DIR__) . '/config/config.php';
require_once dirname(__DIR__) . '/models/AttachmentModel.php';

// Check authentication
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
    http_response_code(401);
    header('Content-Type: application/json');
    echo json_encode(['success' => false, 'error' => 'Authentication required']);
    exit;
}

// Get attachment ID
$attachmentId = $_GET['id'] ?? null;
if (!$attachmentId || !is_numeric($attachmentId)) {
    http_response_code(400);
    header('Content-Type: application/json');
    echo json_encode(['success' => false, 'error' => 'Valid attachment ID is required']);
    exit;
}

$attachmentId = (int)$attachmentId;

try {
    $attachmentModel = new AttachmentModel();

    // Get attachment details
    $attachment = $attachmentModel->getAttachment($attachmentId);
    if (!$attachment) {
        http_response_code(404);
        header('Content-Type: application/json');
        echo json_encode(['success' => false, 'error' => 'Attachment not found']);
        exit;
    }

    // Build file path
    $uploadDir = $GLOBALS['config']['UPLOAD_DIR'] ?? dirname(__DIR__) . '/uploads';
    $filePath = $uploadDir . '/' . $attachment['ticket_id'] . '/' . $attachment['filename'];

    // Check if file exists
    if (!file_exists($filePath)) {
        http_response_code(404);
        header('Content-Type: application/json');
        echo json_encode(['success' => false, 'error' => 'File not found on server']);
        exit;
    }

    // Determine if we should display inline or force download
    $inline = isset($_GET['inline']) && $_GET['inline'] === '1';
    $inlineTypes = ['image/jpeg', 'image/png', 'image/gif', 'image/webp', 'application/pdf', 'text/plain'];

    // Set headers
    $disposition = ($inline && in_array($attachment['mime_type'], $inlineTypes)) ? 'inline' : 'attachment';

    // Sanitize filename for Content-Disposition
    $safeFilename = preg_replace('/[^\w\s\-\.]/', '_', $attachment['original_filename']);

    header('Content-Type: ' . $attachment['mime_type']);
    header('Content-Disposition: ' . $disposition . '; filename="' . $safeFilename . '"');
    header('Content-Length: ' . $attachment['file_size']);
    header('Cache-Control: private, max-age=3600');
    header('X-Content-Type-Options: nosniff');

    // Prevent PHP from timing out on large files
    set_time_limit(0);

    // Clear output buffer
    if (ob_get_level()) {
        ob_end_clean();
    }

    // Stream file
    $handle = fopen($filePath, 'rb');
    if ($handle === false) {
        http_response_code(500);
        header('Content-Type: application/json');
        echo json_encode(['success' => false, 'error' => 'Failed to open file']);
        exit;
    }

    while (!feof($handle)) {
        echo fread($handle, 8192);
        flush();
    }

    fclose($handle);
    exit;

} catch (Exception $e) {
    http_response_code(500);
    header('Content-Type: application/json');
    echo json_encode(['success' => false, 'error' => 'Failed to download attachment']);
    exit;
}
Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`<?php`
			`/**`
			`* Download Attachment API`
			`*`
			`* Serves file downloads for ticket attachments`
			`*/`

			`session_start();`
			`require_once dirname(__DIR__) . '/config/config.php';`
			`require_once dirname(__DIR__) . '/models/AttachmentModel.php';`

			`// Check authentication`
			`if (!isset($_SESSION['user']) \|\| !isset($_SESSION['user']['user_id'])) {`
			`http_response_code(401);`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'Authentication required']);`
			`exit;`
			`}`

			`// Get attachment ID`
			`$attachmentId = $_GET['id'] ?? null;`
			`if (!$attachmentId \|\| !is_numeric($attachmentId)) {`
			`http_response_code(400);`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'Valid attachment ID is required']);`
			`exit;`
			`}`

			`$attachmentId = (int)$attachmentId;`

			`try {`
			`$attachmentModel = new AttachmentModel();`

			`// Get attachment details`
			`$attachment = $attachmentModel->getAttachment($attachmentId);`
			`if (!$attachment) {`
			`http_response_code(404);`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'Attachment not found']);`
			`exit;`
			`}`

			`// Build file path`
			`$uploadDir = $GLOBALS['config']['UPLOAD_DIR'] ?? dirname(__DIR__) . '/uploads';`
			`$filePath = $uploadDir . '/' . $attachment['ticket_id'] . '/' . $attachment['filename'];`

			`// Check if file exists`
			`if (!file_exists($filePath)) {`
			`http_response_code(404);`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'File not found on server']);`
			`exit;`
			`}`

			`// Determine if we should display inline or force download`
			`$inline = isset($_GET['inline']) && $_GET['inline'] === '1';`
			`$inlineTypes = ['image/jpeg', 'image/png', 'image/gif', 'image/webp', 'application/pdf', 'text/plain'];`

			`// Set headers`
			`$disposition = ($inline && in_array($attachment['mime_type'], $inlineTypes)) ? 'inline' : 'attachment';`

			`// Sanitize filename for Content-Disposition`
			`$safeFilename = preg_replace('/[^\w\s\-\.]/', '_', $attachment['original_filename']);`

			`header('Content-Type: ' . $attachment['mime_type']);`
			`header('Content-Disposition: ' . $disposition . '; filename="' . $safeFilename . '"');`
			`header('Content-Length: ' . $attachment['file_size']);`
			`header('Cache-Control: private, max-age=3600');`
			`header('X-Content-Type-Options: nosniff');`

			`// Prevent PHP from timing out on large files`
			`set_time_limit(0);`

			`// Clear output buffer`
			`if (ob_get_level()) {`
			`ob_end_clean();`
			`}`

			`// Stream file`
			`$handle = fopen($filePath, 'rb');`
			`if ($handle === false) {`
			`http_response_code(500);`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'Failed to open file']);`
			`exit;`
			`}`

			`while (!feof($handle)) {`
			`echo fread($handle, 8192);`
			`flush();`
			`}`

			`fclose($handle);`
			`exit;`

			`} catch (Exception $e) {`
			`http_response_code(500);`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'Failed to download attachment']);`
			`exit;`
			`}`