2025-05-16 20:02:49 -04:00
|
|
|
<?php
|
|
|
|
|
// Use absolute paths for model includes
|
|
|
|
|
require_once dirname(__DIR__) . '/models/TicketModel.php';
|
|
|
|
|
require_once dirname(__DIR__) . '/models/CommentModel.php';
|
2026-01-01 18:25:19 -05:00
|
|
|
require_once dirname(__DIR__) . '/models/AuditLogModel.php';
|
2026-01-01 18:36:34 -05:00
|
|
|
require_once dirname(__DIR__) . '/models/UserModel.php';
|
2026-01-01 18:57:23 -05:00
|
|
|
require_once dirname(__DIR__) . '/models/WorkflowModel.php';
|
2026-01-01 19:00:42 -05:00
|
|
|
require_once dirname(__DIR__) . '/models/TemplateModel.php';
|
Add security logging, domain validation, and output helpers
- Add authentication failure logging to AuthMiddleware (session expiry,
access denied, unauthenticated access attempts)
- Add UrlHelper for secure URL generation with host validation against
configurable ALLOWED_HOSTS whitelist
- Add OutputHelper with consistent XSS-safe escaping functions (h, attr,
json, url, css, truncate, date, cssClass)
- Add validation to AuditLogModel query parameters (pagination limits,
date format validation, action/entity type validation, IP sanitization)
- Add APP_DOMAIN and ALLOWED_HOSTS configuration options
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 18:51:16 -05:00
|
|
|
require_once dirname(__DIR__) . '/helpers/UrlHelper.php';
|
2025-05-16 20:02:49 -04:00
|
|
|
|
|
|
|
|
class TicketController {
|
|
|
|
|
private $ticketModel;
|
|
|
|
|
private $commentModel;
|
2026-01-01 18:25:19 -05:00
|
|
|
private $auditLogModel;
|
2026-01-01 18:36:34 -05:00
|
|
|
private $userModel;
|
2026-01-01 18:57:23 -05:00
|
|
|
private $workflowModel;
|
2026-01-01 19:00:42 -05:00
|
|
|
private $templateModel;
|
2025-09-05 11:08:56 -04:00
|
|
|
private $envVars;
|
2026-01-23 10:01:50 -05:00
|
|
|
private $conn;
|
2026-01-01 18:57:23 -05:00
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
public function __construct($conn) {
|
2026-01-23 10:01:50 -05:00
|
|
|
$this->conn = $conn;
|
2025-05-16 20:02:49 -04:00
|
|
|
$this->ticketModel = new TicketModel($conn);
|
|
|
|
|
$this->commentModel = new CommentModel($conn);
|
2026-01-01 18:25:19 -05:00
|
|
|
$this->auditLogModel = new AuditLogModel($conn);
|
2026-01-01 18:36:34 -05:00
|
|
|
$this->userModel = new UserModel($conn);
|
2026-01-01 18:57:23 -05:00
|
|
|
$this->workflowModel = new WorkflowModel($conn);
|
2026-01-01 19:00:42 -05:00
|
|
|
$this->templateModel = new TemplateModel($conn);
|
2025-09-05 11:08:56 -04:00
|
|
|
|
|
|
|
|
// Load environment variables for Discord webhook
|
|
|
|
|
$envPath = dirname(__DIR__) . '/.env';
|
|
|
|
|
$this->envVars = [];
|
|
|
|
|
if (file_exists($envPath)) {
|
|
|
|
|
$lines = file($envPath, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
|
|
|
|
|
foreach ($lines as $line) {
|
|
|
|
|
if (strpos($line, '=') !== false && strpos($line, '#') !== 0) {
|
|
|
|
|
list($key, $value) = explode('=', $line, 2);
|
2026-01-01 16:40:04 -05:00
|
|
|
$key = trim($key);
|
|
|
|
|
$value = trim($value);
|
|
|
|
|
// Remove surrounding quotes if present
|
|
|
|
|
if ((substr($value, 0, 1) === '"' && substr($value, -1) === '"') ||
|
|
|
|
|
(substr($value, 0, 1) === "'" && substr($value, -1) === "'")) {
|
|
|
|
|
$value = substr($value, 1, -1);
|
|
|
|
|
}
|
|
|
|
|
$this->envVars[$key] = $value;
|
2025-09-05 11:08:56 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2025-05-16 20:02:49 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function view($id) {
|
2026-01-01 15:40:32 -05:00
|
|
|
// Get current user
|
|
|
|
|
$currentUser = $GLOBALS['currentUser'] ?? null;
|
|
|
|
|
$userId = $currentUser['user_id'] ?? null;
|
|
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
// Get ticket data
|
|
|
|
|
$ticket = $this->ticketModel->getTicketById($id);
|
2026-01-01 15:40:32 -05:00
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
if (!$ticket) {
|
|
|
|
|
header("HTTP/1.0 404 Not Found");
|
|
|
|
|
echo "Ticket not found";
|
|
|
|
|
return;
|
|
|
|
|
}
|
2026-01-01 15:40:32 -05:00
|
|
|
|
2026-01-23 10:01:50 -05:00
|
|
|
// Check visibility access
|
|
|
|
|
if (!$this->ticketModel->canUserAccessTicket($ticket, $currentUser)) {
|
|
|
|
|
header("HTTP/1.0 403 Forbidden");
|
|
|
|
|
echo "Access denied: You do not have permission to view this ticket";
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2025-09-05 11:08:56 -04:00
|
|
|
// Get comments for this ticket using CommentModel
|
|
|
|
|
$comments = $this->commentModel->getCommentsByTicketId($id);
|
2026-01-01 15:40:32 -05:00
|
|
|
|
2026-01-01 18:25:19 -05:00
|
|
|
// Get timeline for this ticket
|
|
|
|
|
$timeline = $this->auditLogModel->getTicketTimeline($id);
|
|
|
|
|
|
2026-01-01 18:36:34 -05:00
|
|
|
// Get all users for assignment dropdown
|
|
|
|
|
$allUsers = $this->userModel->getAllUsers();
|
|
|
|
|
|
2026-01-01 18:57:23 -05:00
|
|
|
// Get allowed status transitions for this ticket
|
|
|
|
|
$allowedTransitions = $this->workflowModel->getAllowedTransitions($ticket['status']);
|
|
|
|
|
|
2026-01-23 10:23:19 -05:00
|
|
|
// Make $conn available to view for visibility groups
|
|
|
|
|
$conn = $this->conn;
|
|
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
// Load the view
|
|
|
|
|
include dirname(__DIR__) . '/views/TicketView.php';
|
|
|
|
|
}
|
2026-01-23 10:23:19 -05:00
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
public function create() {
|
2026-01-01 15:40:32 -05:00
|
|
|
// Get current user
|
|
|
|
|
$currentUser = $GLOBALS['currentUser'] ?? null;
|
|
|
|
|
$userId = $currentUser['user_id'] ?? null;
|
|
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
// Check if form was submitted
|
|
|
|
|
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
2026-01-23 10:01:50 -05:00
|
|
|
// Handle visibility groups (comes as array from checkboxes)
|
|
|
|
|
$visibilityGroups = null;
|
|
|
|
|
if (isset($_POST['visibility_groups']) && is_array($_POST['visibility_groups'])) {
|
|
|
|
|
$visibilityGroups = implode(',', array_map('trim', $_POST['visibility_groups']));
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
$ticketData = [
|
|
|
|
|
'title' => $_POST['title'] ?? '',
|
|
|
|
|
'description' => $_POST['description'] ?? '',
|
|
|
|
|
'priority' => $_POST['priority'] ?? '4',
|
|
|
|
|
'category' => $_POST['category'] ?? 'General',
|
2026-01-23 10:01:50 -05:00
|
|
|
'type' => $_POST['type'] ?? 'Issue',
|
|
|
|
|
'visibility' => $_POST['visibility'] ?? 'public',
|
|
|
|
|
'visibility_groups' => $visibilityGroups
|
2025-05-16 20:02:49 -04:00
|
|
|
];
|
2026-01-01 15:40:32 -05:00
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
// Validate input
|
|
|
|
|
if (empty($ticketData['title'])) {
|
|
|
|
|
$error = "Title is required";
|
2026-01-01 19:00:42 -05:00
|
|
|
$templates = $this->templateModel->getAllTemplates();
|
2026-01-23 10:01:50 -05:00
|
|
|
$conn = $this->conn; // Make $conn available to view
|
2025-05-16 20:02:49 -04:00
|
|
|
include dirname(__DIR__) . '/views/CreateTicketView.php';
|
|
|
|
|
return;
|
|
|
|
|
}
|
2026-01-01 15:40:32 -05:00
|
|
|
|
|
|
|
|
// Create ticket with user tracking
|
|
|
|
|
$result = $this->ticketModel->createTicket($ticketData, $userId);
|
|
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
if ($result['success']) {
|
2026-01-01 15:40:32 -05:00
|
|
|
// Log ticket creation to audit log
|
|
|
|
|
if (isset($GLOBALS['auditLog']) && $userId) {
|
|
|
|
|
$GLOBALS['auditLog']->logTicketCreate($userId, $result['ticket_id'], $ticketData);
|
|
|
|
|
}
|
|
|
|
|
|
2025-09-05 11:08:56 -04:00
|
|
|
// Send Discord webhook notification for new ticket
|
|
|
|
|
$this->sendDiscordWebhook($result['ticket_id'], $ticketData);
|
2026-01-01 15:40:32 -05:00
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
// Redirect to the new ticket
|
2025-09-05 11:08:56 -04:00
|
|
|
header("Location: " . $GLOBALS['config']['BASE_URL'] . "/ticket/" . $result['ticket_id']);
|
2025-05-16 20:02:49 -04:00
|
|
|
exit;
|
|
|
|
|
} else {
|
|
|
|
|
$error = $result['error'];
|
2026-01-01 19:00:42 -05:00
|
|
|
$templates = $this->templateModel->getAllTemplates();
|
2026-01-23 10:01:50 -05:00
|
|
|
$conn = $this->conn; // Make $conn available to view
|
2025-05-16 20:02:49 -04:00
|
|
|
include dirname(__DIR__) . '/views/CreateTicketView.php';
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2026-01-01 19:00:42 -05:00
|
|
|
// Get all templates for the template selector
|
|
|
|
|
$templates = $this->templateModel->getAllTemplates();
|
2026-01-23 10:01:50 -05:00
|
|
|
$conn = $this->conn; // Make $conn available to view
|
2026-01-01 19:00:42 -05:00
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
// Display the create ticket form
|
|
|
|
|
include dirname(__DIR__) . '/views/CreateTicketView.php';
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function update($id) {
|
2026-01-01 15:40:32 -05:00
|
|
|
// Get current user
|
|
|
|
|
$currentUser = $GLOBALS['currentUser'] ?? null;
|
|
|
|
|
$userId = $currentUser['user_id'] ?? null;
|
|
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
// Check if this is an AJAX request
|
|
|
|
|
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
|
|
|
|
// For AJAX requests, get JSON data
|
|
|
|
|
$input = file_get_contents('php://input');
|
|
|
|
|
$data = json_decode($input, true);
|
2026-01-01 15:40:32 -05:00
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
// Add ticket_id to the data
|
|
|
|
|
$data['ticket_id'] = $id;
|
2026-01-01 15:40:32 -05:00
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
// Validate input data
|
|
|
|
|
if (empty($data['title'])) {
|
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
|
echo json_encode([
|
|
|
|
|
'success' => false,
|
|
|
|
|
'error' => 'Title cannot be empty'
|
|
|
|
|
]);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2026-01-01 15:40:32 -05:00
|
|
|
|
|
|
|
|
// Update ticket with user tracking
|
2026-01-30 14:39:13 -05:00
|
|
|
// Pass expected_updated_at for optimistic locking if provided
|
|
|
|
|
$expectedUpdatedAt = $data['expected_updated_at'] ?? null;
|
|
|
|
|
$result = $this->ticketModel->updateTicket($data, $userId, $expectedUpdatedAt);
|
2026-01-01 15:40:32 -05:00
|
|
|
|
|
|
|
|
// Log ticket update to audit log
|
2026-01-30 14:39:13 -05:00
|
|
|
if ($result['success'] && isset($GLOBALS['auditLog']) && $userId) {
|
2026-01-01 15:40:32 -05:00
|
|
|
$GLOBALS['auditLog']->logTicketUpdate($userId, $id, $data);
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-16 20:02:49 -04:00
|
|
|
// Return JSON response
|
|
|
|
|
header('Content-Type: application/json');
|
2026-01-30 14:39:13 -05:00
|
|
|
if ($result['success']) {
|
2025-05-16 20:02:49 -04:00
|
|
|
echo json_encode([
|
|
|
|
|
'success' => true,
|
|
|
|
|
'status' => $data['status']
|
|
|
|
|
]);
|
|
|
|
|
} else {
|
2026-01-30 14:39:13 -05:00
|
|
|
$response = [
|
2025-05-16 20:02:49 -04:00
|
|
|
'success' => false,
|
2026-01-30 14:39:13 -05:00
|
|
|
'error' => $result['error'] ?? 'Failed to update ticket'
|
|
|
|
|
];
|
|
|
|
|
if (!empty($result['conflict'])) {
|
|
|
|
|
$response['conflict'] = true;
|
|
|
|
|
$response['current_updated_at'] = $result['current_updated_at'] ?? null;
|
|
|
|
|
}
|
|
|
|
|
echo json_encode($response);
|
2025-05-16 20:02:49 -04:00
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
// For direct access, redirect to view
|
|
|
|
|
header("Location: " . $GLOBALS['config']['BASE_URL'] . "/ticket/$id");
|
|
|
|
|
exit;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-09-05 11:08:56 -04:00
|
|
|
private function sendDiscordWebhook($ticketId, $ticketData) {
|
|
|
|
|
if (!isset($this->envVars['DISCORD_WEBHOOK_URL']) || empty($this->envVars['DISCORD_WEBHOOK_URL'])) {
|
|
|
|
|
error_log("Discord webhook URL not configured, skipping webhook for ticket creation");
|
|
|
|
|
return;
|
|
|
|
|
}
|
2026-01-26 11:11:40 -05:00
|
|
|
|
2025-09-05 11:08:56 -04:00
|
|
|
$webhookUrl = $this->envVars['DISCORD_WEBHOOK_URL'];
|
2026-01-26 11:11:40 -05:00
|
|
|
|
Add security logging, domain validation, and output helpers
- Add authentication failure logging to AuthMiddleware (session expiry,
access denied, unauthenticated access attempts)
- Add UrlHelper for secure URL generation with host validation against
configurable ALLOWED_HOSTS whitelist
- Add OutputHelper with consistent XSS-safe escaping functions (h, attr,
json, url, css, truncate, date, cssClass)
- Add validation to AuditLogModel query parameters (pagination limits,
date format validation, action/entity type validation, IP sanitization)
- Add APP_DOMAIN and ALLOWED_HOSTS configuration options
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 18:51:16 -05:00
|
|
|
// Create ticket URL using validated host
|
|
|
|
|
$ticketUrl = UrlHelper::ticketUrl($ticketId);
|
2026-01-26 11:11:40 -05:00
|
|
|
|
|
|
|
|
// Map priorities to Discord colors (matching API endpoint)
|
2025-09-05 11:08:56 -04:00
|
|
|
$priorityColors = [
|
2026-01-26 11:11:40 -05:00
|
|
|
1 => 0xDC3545, // P1 Critical - Red
|
|
|
|
|
2 => 0xFD7E14, // P2 High - Orange
|
|
|
|
|
3 => 0x0DCAF0, // P3 Medium - Cyan
|
|
|
|
|
4 => 0x198754, // P4 Low - Green
|
|
|
|
|
5 => 0x6C757D // P5 Info - Gray
|
2025-09-05 11:08:56 -04:00
|
|
|
];
|
2026-01-26 11:11:40 -05:00
|
|
|
|
|
|
|
|
// Priority labels for display
|
|
|
|
|
$priorityLabels = [
|
|
|
|
|
1 => "P1 - Critical",
|
|
|
|
|
2 => "P2 - High",
|
|
|
|
|
3 => "P3 - Medium",
|
|
|
|
|
4 => "P4 - Low",
|
|
|
|
|
5 => "P5 - Info"
|
|
|
|
|
];
|
|
|
|
|
|
2025-09-05 11:08:56 -04:00
|
|
|
$priority = (int)($ticketData['priority'] ?? 4);
|
2026-01-26 11:11:40 -05:00
|
|
|
$color = $priorityColors[$priority] ?? 0x6C757D;
|
|
|
|
|
$priorityLabel = $priorityLabels[$priority] ?? "P{$priority}";
|
|
|
|
|
|
|
|
|
|
$title = $ticketData['title'] ?? 'Untitled';
|
|
|
|
|
$category = $ticketData['category'] ?? 'General';
|
|
|
|
|
$type = $ticketData['type'] ?? 'Issue';
|
|
|
|
|
$status = $ticketData['status'] ?? 'Open';
|
|
|
|
|
|
|
|
|
|
// Extract hostname from title for cleaner display
|
|
|
|
|
preg_match('/^\[([^\]]+)\]/', $title, $hostnameMatch);
|
|
|
|
|
$sourceHost = $hostnameMatch[1] ?? 'Manual';
|
|
|
|
|
|
2025-09-05 11:08:56 -04:00
|
|
|
$embed = [
|
2026-01-26 11:11:40 -05:00
|
|
|
'title' => 'New Ticket Created',
|
|
|
|
|
'description' => "**#{$ticketId}** - {$title}",
|
2025-09-05 11:08:56 -04:00
|
|
|
'url' => $ticketUrl,
|
|
|
|
|
'color' => $color,
|
|
|
|
|
'fields' => [
|
|
|
|
|
[
|
|
|
|
|
'name' => 'Priority',
|
2026-01-26 11:11:40 -05:00
|
|
|
'value' => $priorityLabel,
|
2025-09-05 11:08:56 -04:00
|
|
|
'inline' => true
|
|
|
|
|
],
|
|
|
|
|
[
|
2026-01-26 11:11:40 -05:00
|
|
|
'name' => 'Category',
|
|
|
|
|
'value' => $category,
|
2025-09-05 11:08:56 -04:00
|
|
|
'inline' => true
|
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
'name' => 'Type',
|
2026-01-26 11:11:40 -05:00
|
|
|
'value' => $type,
|
2025-09-05 11:08:56 -04:00
|
|
|
'inline' => true
|
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
'name' => 'Status',
|
2026-01-26 11:11:40 -05:00
|
|
|
'value' => $status,
|
|
|
|
|
'inline' => true
|
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
'name' => 'Source',
|
|
|
|
|
'value' => $sourceHost,
|
2025-09-05 11:08:56 -04:00
|
|
|
'inline' => true
|
|
|
|
|
]
|
|
|
|
|
],
|
|
|
|
|
'footer' => [
|
2026-01-26 11:11:40 -05:00
|
|
|
'text' => 'Tinker Tickets | Manual Entry'
|
2025-09-05 11:08:56 -04:00
|
|
|
],
|
|
|
|
|
'timestamp' => date('c')
|
|
|
|
|
];
|
2026-01-26 11:11:40 -05:00
|
|
|
|
2025-09-05 11:08:56 -04:00
|
|
|
$payload = [
|
|
|
|
|
'embeds' => [$embed]
|
|
|
|
|
];
|
2026-01-26 11:11:40 -05:00
|
|
|
|
2025-09-05 11:08:56 -04:00
|
|
|
// Send webhook
|
|
|
|
|
$ch = curl_init($webhookUrl);
|
|
|
|
|
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
|
|
|
|
|
curl_setopt($ch, CURLOPT_POST, 1);
|
|
|
|
|
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
|
|
|
|
|
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
|
|
|
|
|
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
|
2026-01-26 11:11:40 -05:00
|
|
|
|
2025-09-05 11:08:56 -04:00
|
|
|
$webhookResult = curl_exec($ch);
|
|
|
|
|
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
|
|
|
|
|
$curlError = curl_error($ch);
|
|
|
|
|
curl_close($ch);
|
2026-01-26 11:11:40 -05:00
|
|
|
|
2025-09-05 11:08:56 -04:00
|
|
|
if ($curlError) {
|
2026-01-26 11:11:40 -05:00
|
|
|
error_log("Discord webhook cURL error: {$curlError}");
|
|
|
|
|
} elseif ($httpCode !== 204 && $httpCode !== 200) {
|
|
|
|
|
error_log("Discord webhook failed for ticket #{$ticketId}. HTTP Code: {$httpCode}");
|
2025-09-05 11:08:56 -04:00
|
|
|
}
|
2025-05-16 20:02:49 -04:00
|
|
|
}
|
2025-09-05 11:08:56 -04:00
|
|
|
}
|
|
|
|
|
?>
|
