api/delete_attachment.php

<?php
/**
 * Delete Attachment API
 *
 * Handles deletion of ticket attachments
 */

// Capture errors for debugging
ini_set('display_errors', 0);
error_reporting(E_ALL);

// Apply rate limiting (also starts session)
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

// Ensure session is started
if (session_status() === PHP_SESSION_NONE) {
    session_start();
}

require_once dirname(__DIR__) . '/config/config.php';
require_once dirname(__DIR__) . '/helpers/Database.php';
require_once dirname(__DIR__) . '/helpers/ResponseHelper.php';
require_once dirname(__DIR__) . '/models/AttachmentModel.php';
require_once dirname(__DIR__) . '/models/AuditLogModel.php';
require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';

header('Content-Type: application/json');

// Check authentication
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
    ResponseHelper::unauthorized();
}

// Only accept DELETE or POST requests
if (!in_array($_SERVER['REQUEST_METHOD'], ['DELETE', 'POST'])) {
    ResponseHelper::error('Method not allowed', 405);
}

// Get request body
$input = json_decode(file_get_contents('php://input'), true);
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $input = array_merge($_POST, $input ?? []);
}

// Verify CSRF token
$csrfToken = $input['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
if (!CsrfMiddleware::validateToken($csrfToken)) {
    ResponseHelper::forbidden('Invalid CSRF token');
}

// Get attachment ID
$attachmentId = $input['attachment_id'] ?? null;
if (!$attachmentId || !is_numeric($attachmentId)) {
    ResponseHelper::error('Valid attachment ID is required');
}

$attachmentId = (int)$attachmentId;

try {
    $attachmentModel = new AttachmentModel(Database::getConnection());

    // Get attachment details
    $attachment = $attachmentModel->getAttachment($attachmentId);
    if (!$attachment) {
        ResponseHelper::notFound('Attachment not found');
    }

    // Check permission
    $isAdmin = $_SESSION['user']['is_admin'] ?? false;
    if (!$attachmentModel->canUserDelete($attachmentId, $_SESSION['user']['user_id'], $isAdmin)) {
        ResponseHelper::forbidden('You do not have permission to delete this attachment');
    }

    // Delete the file
    $uploadDir = $GLOBALS['config']['UPLOAD_DIR'] ?? dirname(__DIR__) . '/uploads';
    $filePath = $uploadDir . '/' . $attachment['ticket_id'] . '/' . $attachment['filename'];

    if (file_exists($filePath)) {
        if (!unlink($filePath)) {
            ResponseHelper::serverError('Failed to delete file');
        }
    }

    // Delete from database
    if (!$attachmentModel->deleteAttachment($attachmentId)) {
        ResponseHelper::serverError('Failed to delete attachment record');
    }

    // Log the deletion
    $conn = Database::getConnection();
    $auditLog = new AuditLogModel($conn);
    $auditLog->log(
        $_SESSION['user']['user_id'],
        'attachment_delete',
        'ticket_attachments',
        (string)$attachmentId,
        [
            'ticket_id' => $attachment['ticket_id'],
            'filename' => $attachment['original_filename'],
            'size' => $attachment['file_size']
        ]
    );

    ResponseHelper::success([], 'Attachment deleted successfully');

} catch (Exception $e) {
    ResponseHelper::serverError('Failed to delete attachment');
}
Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`<?php`
			`/**`
			`* Delete Attachment API`
			`*`
			`* Handles deletion of ticket attachments`
			`*/`

fix: Fix delete_attachment.php AuditLogModel calls - Add session status check - Remove broken AuditLogModel call without $conn in CSRF check - Fix AuditLogModel instantiation with proper $conn parameter - Fix log() call to pass array instead of JSON string for details Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 17:00:54 -05:00			`// Capture errors for debugging`
			`ini_set('display_errors', 0);`
			`error_reporting(E_ALL);`

			`// Apply rate limiting (also starts session)`
Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';`
			`RateLimitMiddleware::apply('api');`

fix: Fix delete_attachment.php AuditLogModel calls - Add session status check - Remove broken AuditLogModel call without $conn in CSRF check - Fix AuditLogModel instantiation with proper $conn parameter - Fix log() call to pass array instead of JSON string for details Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 17:00:54 -05:00			`// Ensure session is started`
			`if (session_status() === PHP_SESSION_NONE) {`
			`session_start();`
			`}`

Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`require_once dirname(__DIR__) . '/config/config.php';`
Add performance, security, and reliability improvements - Consolidate all 20 API files to use centralized Database helper - Add optimistic locking to ticket updates to prevent concurrent conflicts - Add caching to StatsModel (60s TTL) for dashboard performance - Add health check endpoint (api/health.php) for monitoring - Improve rate limit cleanup with cron script and efficient DirectoryIterator - Enable rate limit response headers (X-RateLimit-*) - Add audit logging for workflow transitions - Log Discord webhook failures instead of silencing - Fix visibility check on export_tickets.php - Add database migration system with performance indexes - Fix cron recurring tickets to use assignTicket method Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 14:39:13 -05:00			`require_once dirname(__DIR__) . '/helpers/Database.php';`
Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`require_once dirname(__DIR__) . '/helpers/ResponseHelper.php';`
			`require_once dirname(__DIR__) . '/models/AttachmentModel.php';`
			`require_once dirname(__DIR__) . '/models/AuditLogModel.php';`
			`require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';`

			`header('Content-Type: application/json');`

			`// Check authentication`
			`if (!isset($_SESSION['user']) \|\| !isset($_SESSION['user']['user_id'])) {`
			`ResponseHelper::unauthorized();`
			`}`

			`// Only accept DELETE or POST requests`
			`if (!in_array($_SERVER['REQUEST_METHOD'], ['DELETE', 'POST'])) {`
			`ResponseHelper::error('Method not allowed', 405);`
			`}`

			`// Get request body`
			`$input = json_decode(file_get_contents('php://input'), true);`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST') {`
			`$input = array_merge($_POST, $input ?? []);`
			`}`

			`// Verify CSRF token`
			`$csrfToken = $input['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';`
			`if (!CsrfMiddleware::validateToken($csrfToken)) {`
			`ResponseHelper::forbidden('Invalid CSRF token');`
			`}`

			`// Get attachment ID`
			`$attachmentId = $input['attachment_id'] ?? null;`
			`if (!$attachmentId \|\| !is_numeric($attachmentId)) {`
			`ResponseHelper::error('Valid attachment ID is required');`
			`}`

			`$attachmentId = (int)$attachmentId;`

			`try {`
Integrate web_template design system and fix security/quality issues Security fixes: - Add HTTP method validation to delete_comment.php (block CSRF via GET) - Remove $_GET fallback in comment deletion (was CSRF bypass vector) - Guard session_start() with session_status() check across API files - Escape json_encode() data attributes with htmlspecialchars in views - Escape inline APP_TIMEZONE config values in DashboardView/TicketView - Validate timezone param against DateTimeZone::listIdentifiers() in index.php - Remove Database::escape() (was using real_escape_string, not safe) - Fix AttachmentModel hardcoded connection; inject via constructor Backend fixes: - Fix CommentModel bind_param type for ticket_id (s→i) - Fix buildCommentThread orphan parent guard - Fix StatsModel JOIN→LEFT JOIN so unassigned tickets aren't excluded - Add ticket ID validation in BulkOperationsModel before implode() - Add duplicate key retry in TicketModel::createTicket() for race conditions - Wrap SavedFiltersModel default filter changes in transactions - Add null result guards in WorkflowModel query methods Frontend JS: - Rewrite toast.js as lt.toast shim (base.js dependency) - Delegate escapeHtml() to lt.escHtml() - Rewrite keyboard-shortcuts.js using lt.keys.on() - Migrate settings.js to lt.api.* and lt.modal.open/close() - Migrate advanced-search.js to lt.api.* and lt.modal.open/close() - Migrate dashboard.js fetch calls to lt.api.*; update all dynamic modals (bulk ops, quick actions, confirm/input) to lt-modal structure - Migrate ticket.js fetchMentionUsers to lt.api.get() - Remove console.log/error/warn calls from JS files Views: - Add /web_template/base.css and base.js to all 10 view files - Call lt.keys.initDefaults() in DashboardView, TicketView, admin views - Migrate all modal HTML from settings-modal/settings-content to lt-modal-overlay/lt-modal/lt-modal-header/lt-modal-body/lt-modal-footer - Replace style="display:none" with aria-hidden="true" on all modals - Replace modal open/close style.display with lt.modal.open/close() - Update modal buttons to lt-btn lt-btn-primary/lt-btn-ghost classes - Remove manual ESC keydown handlers (replaced by lt.keys.initDefaults) - Fix unescaped timezone values in TicketView inline script Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-17 23:22:24 -04:00			`$attachmentModel = new AttachmentModel(Database::getConnection());`
Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00
			`// Get attachment details`
			`$attachment = $attachmentModel->getAttachment($attachmentId);`
			`if (!$attachment) {`
			`ResponseHelper::notFound('Attachment not found');`
			`}`

			`// Check permission`
			`$isAdmin = $_SESSION['user']['is_admin'] ?? false;`
			`if (!$attachmentModel->canUserDelete($attachmentId, $_SESSION['user']['user_id'], $isAdmin)) {`
			`ResponseHelper::forbidden('You do not have permission to delete this attachment');`
			`}`

			`// Delete the file`
			`$uploadDir = $GLOBALS['config']['UPLOAD_DIR'] ?? dirname(__DIR__) . '/uploads';`
			`$filePath = $uploadDir . '/' . $attachment['ticket_id'] . '/' . $attachment['filename'];`

			`if (file_exists($filePath)) {`
			`if (!unlink($filePath)) {`
			`ResponseHelper::serverError('Failed to delete file');`
			`}`
			`}`

			`// Delete from database`
			`if (!$attachmentModel->deleteAttachment($attachmentId)) {`
			`ResponseHelper::serverError('Failed to delete attachment record');`
			`}`

			`// Log the deletion`
Add performance, security, and reliability improvements - Consolidate all 20 API files to use centralized Database helper - Add optimistic locking to ticket updates to prevent concurrent conflicts - Add caching to StatsModel (60s TTL) for dashboard performance - Add health check endpoint (api/health.php) for monitoring - Improve rate limit cleanup with cron script and efficient DirectoryIterator - Enable rate limit response headers (X-RateLimit-*) - Add audit logging for workflow transitions - Log Discord webhook failures instead of silencing - Fix visibility check on export_tickets.php - Add database migration system with performance indexes - Fix cron recurring tickets to use assignTicket method Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 14:39:13 -05:00			`$conn = Database::getConnection();`
			`$auditLog = new AuditLogModel($conn);`
			`$auditLog->log(`
			`$_SESSION['user']['user_id'],`
			`'attachment_delete',`
			`'ticket_attachments',`
			`(string)$attachmentId,`
			`[`
			`'ticket_id' => $attachment['ticket_id'],`
			`'filename' => $attachment['original_filename'],`
			`'size' => $attachment['file_size']`
			`]`
Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`);`

			`ResponseHelper::success([], 'Attachment deleted successfully');`

			`} catch (Exception $e) {`
			`ResponseHelper::serverError('Failed to delete attachment');`
			`}`