Implement comprehensive improvement plan (Phases 1-6)
Security (Phase 1-2):
- Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc.
- Add RateLimitMiddleware for API rate limiting
- Add security event logging to AuditLogModel
- Add ResponseHelper for standardized API responses
- Update config.php with security constants
Database (Phase 3):
- Add migration 014 for additional indexes
- Add migration 015 for ticket dependencies
- Add migration 016 for ticket attachments
- Add migration 017 for recurring tickets
- Add migration 018 for custom fields
Features (Phase 4-5):
- Add ticket dependencies with DependencyModel and API
- Add duplicate detection with check_duplicates API
- Add file attachments with AttachmentModel and upload/download APIs
- Add @mentions with autocomplete and highlighting
- Add quick actions on dashboard rows
Collaboration (Phase 5):
- Add mention extraction in CommentModel
- Add mention autocomplete dropdown in ticket.js
- Add mention highlighting CSS styles
Admin & Export (Phase 6):
- Add StatsModel for dashboard widgets
- Add dashboard stats cards (open, critical, unassigned, etc.)
- Add CSV/JSON export via export_tickets API
- Add rich text editor toolbar in markdown.js
- Add RecurringTicketModel with cron job
- Add CustomFieldModel for per-category fields
- Add admin views: RecurringTickets, CustomFields, Workflow,
Templates, AuditLog, UserActivity
- Add admin APIs: manage_workflows, manage_templates,
manage_recurring, custom_fields, get_users
- Add admin routes in index.php
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-20 09:55:01 -05:00
|
|
|
<?php
|
|
|
|
|
/**
|
|
|
|
|
* Download Attachment API
|
|
|
|
|
*
|
|
|
|
|
* Serves file downloads for ticket attachments
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
session_start();
|
|
|
|
|
require_once dirname(__DIR__) . '/config/config.php';
|
|
|
|
|
require_once dirname(__DIR__) . '/models/AttachmentModel.php';
|
2026-01-23 10:01:50 -05:00
|
|
|
require_once dirname(__DIR__) . '/models/TicketModel.php';
|
Implement comprehensive improvement plan (Phases 1-6)
Security (Phase 1-2):
- Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc.
- Add RateLimitMiddleware for API rate limiting
- Add security event logging to AuditLogModel
- Add ResponseHelper for standardized API responses
- Update config.php with security constants
Database (Phase 3):
- Add migration 014 for additional indexes
- Add migration 015 for ticket dependencies
- Add migration 016 for ticket attachments
- Add migration 017 for recurring tickets
- Add migration 018 for custom fields
Features (Phase 4-5):
- Add ticket dependencies with DependencyModel and API
- Add duplicate detection with check_duplicates API
- Add file attachments with AttachmentModel and upload/download APIs
- Add @mentions with autocomplete and highlighting
- Add quick actions on dashboard rows
Collaboration (Phase 5):
- Add mention extraction in CommentModel
- Add mention autocomplete dropdown in ticket.js
- Add mention highlighting CSS styles
Admin & Export (Phase 6):
- Add StatsModel for dashboard widgets
- Add dashboard stats cards (open, critical, unassigned, etc.)
- Add CSV/JSON export via export_tickets API
- Add rich text editor toolbar in markdown.js
- Add RecurringTicketModel with cron job
- Add CustomFieldModel for per-category fields
- Add admin views: RecurringTickets, CustomFields, Workflow,
Templates, AuditLog, UserActivity
- Add admin APIs: manage_workflows, manage_templates,
manage_recurring, custom_fields, get_users
- Add admin routes in index.php
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-20 09:55:01 -05:00
|
|
|
|
|
|
|
|
// Check authentication
|
|
|
|
|
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
|
|
|
|
|
http_response_code(401);
|
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
|
echo json_encode(['success' => false, 'error' => 'Authentication required']);
|
|
|
|
|
exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get attachment ID
|
|
|
|
|
$attachmentId = $_GET['id'] ?? null;
|
|
|
|
|
if (!$attachmentId || !is_numeric($attachmentId)) {
|
|
|
|
|
http_response_code(400);
|
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
|
echo json_encode(['success' => false, 'error' => 'Valid attachment ID is required']);
|
|
|
|
|
exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$attachmentId = (int)$attachmentId;
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
$attachmentModel = new AttachmentModel();
|
|
|
|
|
|
|
|
|
|
// Get attachment details
|
|
|
|
|
$attachment = $attachmentModel->getAttachment($attachmentId);
|
|
|
|
|
if (!$attachment) {
|
|
|
|
|
http_response_code(404);
|
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
|
echo json_encode(['success' => false, 'error' => 'Attachment not found']);
|
|
|
|
|
exit;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-28 20:27:15 -05:00
|
|
|
// Verify the associated ticket exists and user has access
|
2026-01-23 10:01:50 -05:00
|
|
|
$conn = new mysqli(
|
|
|
|
|
$GLOBALS['config']['DB_HOST'],
|
|
|
|
|
$GLOBALS['config']['DB_USER'],
|
|
|
|
|
$GLOBALS['config']['DB_PASS'],
|
|
|
|
|
$GLOBALS['config']['DB_NAME']
|
|
|
|
|
);
|
2026-01-28 20:27:15 -05:00
|
|
|
if ($conn->connect_error) {
|
|
|
|
|
http_response_code(500);
|
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
|
echo json_encode(['success' => false, 'error' => 'Database connection failed']);
|
|
|
|
|
exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$ticketModel = new TicketModel($conn);
|
|
|
|
|
$ticket = $ticketModel->getTicketById($attachment['ticket_id']);
|
|
|
|
|
|
|
|
|
|
if (!$ticket) {
|
2026-01-23 10:01:50 -05:00
|
|
|
$conn->close();
|
2026-01-28 20:27:15 -05:00
|
|
|
http_response_code(404);
|
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
|
echo json_encode(['success' => false, 'error' => 'Associated ticket not found']);
|
|
|
|
|
exit;
|
|
|
|
|
}
|
2026-01-23 10:01:50 -05:00
|
|
|
|
2026-01-28 20:27:15 -05:00
|
|
|
// Check if user has access to this ticket based on visibility settings
|
|
|
|
|
if (!$ticketModel->canUserAccessTicket($ticket, $_SESSION['user'])) {
|
|
|
|
|
$conn->close();
|
|
|
|
|
http_response_code(403);
|
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
|
echo json_encode(['success' => false, 'error' => 'Access denied to this ticket']);
|
|
|
|
|
exit;
|
2026-01-23 10:01:50 -05:00
|
|
|
}
|
|
|
|
|
|
2026-01-28 20:27:15 -05:00
|
|
|
$conn->close();
|
|
|
|
|
|
Implement comprehensive improvement plan (Phases 1-6)
Security (Phase 1-2):
- Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc.
- Add RateLimitMiddleware for API rate limiting
- Add security event logging to AuditLogModel
- Add ResponseHelper for standardized API responses
- Update config.php with security constants
Database (Phase 3):
- Add migration 014 for additional indexes
- Add migration 015 for ticket dependencies
- Add migration 016 for ticket attachments
- Add migration 017 for recurring tickets
- Add migration 018 for custom fields
Features (Phase 4-5):
- Add ticket dependencies with DependencyModel and API
- Add duplicate detection with check_duplicates API
- Add file attachments with AttachmentModel and upload/download APIs
- Add @mentions with autocomplete and highlighting
- Add quick actions on dashboard rows
Collaboration (Phase 5):
- Add mention extraction in CommentModel
- Add mention autocomplete dropdown in ticket.js
- Add mention highlighting CSS styles
Admin & Export (Phase 6):
- Add StatsModel for dashboard widgets
- Add dashboard stats cards (open, critical, unassigned, etc.)
- Add CSV/JSON export via export_tickets API
- Add rich text editor toolbar in markdown.js
- Add RecurringTicketModel with cron job
- Add CustomFieldModel for per-category fields
- Add admin views: RecurringTickets, CustomFields, Workflow,
Templates, AuditLog, UserActivity
- Add admin APIs: manage_workflows, manage_templates,
manage_recurring, custom_fields, get_users
- Add admin routes in index.php
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-20 09:55:01 -05:00
|
|
|
// Build file path
|
|
|
|
|
$uploadDir = $GLOBALS['config']['UPLOAD_DIR'] ?? dirname(__DIR__) . '/uploads';
|
|
|
|
|
$filePath = $uploadDir . '/' . $attachment['ticket_id'] . '/' . $attachment['filename'];
|
|
|
|
|
|
2026-01-23 10:01:50 -05:00
|
|
|
// Security: Verify the resolved path is within the uploads directory (prevent path traversal)
|
|
|
|
|
$realUploadDir = realpath($uploadDir);
|
|
|
|
|
$realFilePath = realpath($filePath);
|
|
|
|
|
|
|
|
|
|
if ($realFilePath === false || $realUploadDir === false || strpos($realFilePath, $realUploadDir) !== 0) {
|
|
|
|
|
http_response_code(403);
|
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
|
echo json_encode(['success' => false, 'error' => 'Access denied']);
|
|
|
|
|
exit;
|
|
|
|
|
}
|
|
|
|
|
|
Implement comprehensive improvement plan (Phases 1-6)
Security (Phase 1-2):
- Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc.
- Add RateLimitMiddleware for API rate limiting
- Add security event logging to AuditLogModel
- Add ResponseHelper for standardized API responses
- Update config.php with security constants
Database (Phase 3):
- Add migration 014 for additional indexes
- Add migration 015 for ticket dependencies
- Add migration 016 for ticket attachments
- Add migration 017 for recurring tickets
- Add migration 018 for custom fields
Features (Phase 4-5):
- Add ticket dependencies with DependencyModel and API
- Add duplicate detection with check_duplicates API
- Add file attachments with AttachmentModel and upload/download APIs
- Add @mentions with autocomplete and highlighting
- Add quick actions on dashboard rows
Collaboration (Phase 5):
- Add mention extraction in CommentModel
- Add mention autocomplete dropdown in ticket.js
- Add mention highlighting CSS styles
Admin & Export (Phase 6):
- Add StatsModel for dashboard widgets
- Add dashboard stats cards (open, critical, unassigned, etc.)
- Add CSV/JSON export via export_tickets API
- Add rich text editor toolbar in markdown.js
- Add RecurringTicketModel with cron job
- Add CustomFieldModel for per-category fields
- Add admin views: RecurringTickets, CustomFields, Workflow,
Templates, AuditLog, UserActivity
- Add admin APIs: manage_workflows, manage_templates,
manage_recurring, custom_fields, get_users
- Add admin routes in index.php
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-20 09:55:01 -05:00
|
|
|
// Check if file exists
|
2026-01-23 10:01:50 -05:00
|
|
|
if (!file_exists($realFilePath)) {
|
Implement comprehensive improvement plan (Phases 1-6)
Security (Phase 1-2):
- Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc.
- Add RateLimitMiddleware for API rate limiting
- Add security event logging to AuditLogModel
- Add ResponseHelper for standardized API responses
- Update config.php with security constants
Database (Phase 3):
- Add migration 014 for additional indexes
- Add migration 015 for ticket dependencies
- Add migration 016 for ticket attachments
- Add migration 017 for recurring tickets
- Add migration 018 for custom fields
Features (Phase 4-5):
- Add ticket dependencies with DependencyModel and API
- Add duplicate detection with check_duplicates API
- Add file attachments with AttachmentModel and upload/download APIs
- Add @mentions with autocomplete and highlighting
- Add quick actions on dashboard rows
Collaboration (Phase 5):
- Add mention extraction in CommentModel
- Add mention autocomplete dropdown in ticket.js
- Add mention highlighting CSS styles
Admin & Export (Phase 6):
- Add StatsModel for dashboard widgets
- Add dashboard stats cards (open, critical, unassigned, etc.)
- Add CSV/JSON export via export_tickets API
- Add rich text editor toolbar in markdown.js
- Add RecurringTicketModel with cron job
- Add CustomFieldModel for per-category fields
- Add admin views: RecurringTickets, CustomFields, Workflow,
Templates, AuditLog, UserActivity
- Add admin APIs: manage_workflows, manage_templates,
manage_recurring, custom_fields, get_users
- Add admin routes in index.php
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-20 09:55:01 -05:00
|
|
|
http_response_code(404);
|
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
|
echo json_encode(['success' => false, 'error' => 'File not found on server']);
|
|
|
|
|
exit;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-23 10:01:50 -05:00
|
|
|
// Use the validated real path
|
|
|
|
|
$filePath = $realFilePath;
|
|
|
|
|
|
Implement comprehensive improvement plan (Phases 1-6)
Security (Phase 1-2):
- Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc.
- Add RateLimitMiddleware for API rate limiting
- Add security event logging to AuditLogModel
- Add ResponseHelper for standardized API responses
- Update config.php with security constants
Database (Phase 3):
- Add migration 014 for additional indexes
- Add migration 015 for ticket dependencies
- Add migration 016 for ticket attachments
- Add migration 017 for recurring tickets
- Add migration 018 for custom fields
Features (Phase 4-5):
- Add ticket dependencies with DependencyModel and API
- Add duplicate detection with check_duplicates API
- Add file attachments with AttachmentModel and upload/download APIs
- Add @mentions with autocomplete and highlighting
- Add quick actions on dashboard rows
Collaboration (Phase 5):
- Add mention extraction in CommentModel
- Add mention autocomplete dropdown in ticket.js
- Add mention highlighting CSS styles
Admin & Export (Phase 6):
- Add StatsModel for dashboard widgets
- Add dashboard stats cards (open, critical, unassigned, etc.)
- Add CSV/JSON export via export_tickets API
- Add rich text editor toolbar in markdown.js
- Add RecurringTicketModel with cron job
- Add CustomFieldModel for per-category fields
- Add admin views: RecurringTickets, CustomFields, Workflow,
Templates, AuditLog, UserActivity
- Add admin APIs: manage_workflows, manage_templates,
manage_recurring, custom_fields, get_users
- Add admin routes in index.php
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-20 09:55:01 -05:00
|
|
|
// Determine if we should display inline or force download
|
|
|
|
|
$inline = isset($_GET['inline']) && $_GET['inline'] === '1';
|
|
|
|
|
$inlineTypes = ['image/jpeg', 'image/png', 'image/gif', 'image/webp', 'application/pdf', 'text/plain'];
|
|
|
|
|
|
|
|
|
|
// Set headers
|
|
|
|
|
$disposition = ($inline && in_array($attachment['mime_type'], $inlineTypes)) ? 'inline' : 'attachment';
|
|
|
|
|
|
|
|
|
|
// Sanitize filename for Content-Disposition
|
|
|
|
|
$safeFilename = preg_replace('/[^\w\s\-\.]/', '_', $attachment['original_filename']);
|
|
|
|
|
|
|
|
|
|
header('Content-Type: ' . $attachment['mime_type']);
|
|
|
|
|
header('Content-Disposition: ' . $disposition . '; filename="' . $safeFilename . '"');
|
|
|
|
|
header('Content-Length: ' . $attachment['file_size']);
|
|
|
|
|
header('Cache-Control: private, max-age=3600');
|
|
|
|
|
header('X-Content-Type-Options: nosniff');
|
|
|
|
|
|
|
|
|
|
// Prevent PHP from timing out on large files
|
|
|
|
|
set_time_limit(0);
|
|
|
|
|
|
|
|
|
|
// Clear output buffer
|
|
|
|
|
if (ob_get_level()) {
|
|
|
|
|
ob_end_clean();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Stream file
|
|
|
|
|
$handle = fopen($filePath, 'rb');
|
|
|
|
|
if ($handle === false) {
|
|
|
|
|
http_response_code(500);
|
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
|
echo json_encode(['success' => false, 'error' => 'Failed to open file']);
|
|
|
|
|
exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while (!feof($handle)) {
|
|
|
|
|
echo fread($handle, 8192);
|
|
|
|
|
flush();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fclose($handle);
|
|
|
|
|
exit;
|
|
|
|
|
|
|
|
|
|
} catch (Exception $e) {
|
|
|
|
|
http_response_code(500);
|
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
|
echo json_encode(['success' => false, 'error' => 'Failed to download attachment']);
|
|
|
|
|
exit;
|
|
|
|
|
}
|