api/add_comment.php

<?php
// Disable error display in the output
ini_set('display_errors', 0);
error_reporting(E_ALL);

// Apply rate limiting
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

// Start output buffering to capture any errors
ob_start();

try {
    // Include required files with proper error handling
    $configPath = dirname(__DIR__) . '/config/config.php';
    $commentModelPath = dirname(__DIR__) . '/models/CommentModel.php';
    $auditLogModelPath = dirname(__DIR__) . '/models/AuditLogModel.php';

    if (!file_exists($configPath)) {
        throw new Exception("Config file not found: $configPath");
    }

    if (!file_exists($commentModelPath)) {
        throw new Exception("CommentModel file not found: $commentModelPath");
    }

    require_once $configPath;
    require_once $commentModelPath;
    require_once $auditLogModelPath;

    // Check authentication via session
    session_start();
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        throw new Exception("Authentication required");
    }

    // CSRF Protection
    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!CsrfMiddleware::validateToken($csrfToken)) {
            http_response_code(403);
            header('Content-Type: application/json');
            echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
            exit;
        }
    }

    $currentUser = $_SESSION['user'];
    $userId = $currentUser['user_id'];

    // Create database connection
    $conn = new mysqli(
        $GLOBALS['config']['DB_HOST'],
        $GLOBALS['config']['DB_USER'],
        $GLOBALS['config']['DB_PASS'],
        $GLOBALS['config']['DB_NAME']
    );

    if ($conn->connect_error) {
        throw new Exception("Database connection failed: " . $conn->connect_error);
    }

    // Get POST data
    $data = json_decode(file_get_contents('php://input'), true);

    if (!$data) {
        throw new Exception("Invalid JSON data received");
    }

    $ticketId = $data['ticket_id'];

    // Initialize models
    $commentModel = new CommentModel($conn);
    $auditLog = new AuditLogModel($conn);

    // Extract @mentions from comment text
    $mentions = $commentModel->extractMentions($data['comment_text'] ?? '');
    $mentionedUsers = [];
    if (!empty($mentions)) {
        $mentionedUsers = $commentModel->getMentionedUsers($mentions);
    }

    // Add comment with user tracking
    $result = $commentModel->addComment($ticketId, $data, $userId);

    // Log comment creation to audit log
    if ($result['success'] && isset($result['comment_id'])) {
        $auditLog->logCommentCreate($userId, $result['comment_id'], $ticketId);

        // Log mentions to audit log
        foreach ($mentionedUsers as $mentionedUser) {
            $auditLog->log(
                $userId,
                'mention',
                'user',
                (string)$mentionedUser['user_id'],
                [
                    'ticket_id' => $ticketId,
                    'comment_id' => $result['comment_id'],
                    'mentioned_username' => $mentionedUser['username']
                ]
            );
        }

        // Add mentioned users to result for frontend
        $result['mentions'] = array_map(function($u) {
            return $u['username'];
        }, $mentionedUsers);
    }

    // Add user display name to result for frontend
    if ($result['success']) {
        $result['user_name'] = $currentUser['display_name'] ?? $currentUser['username'];
    }

    // Discard any unexpected output
    ob_end_clean();

    // Return JSON response
    header('Content-Type: application/json');
    echo json_encode($result);
    
} catch (Exception $e) {
    // Discard any unexpected output
    ob_end_clean();
    
    // Return error response
    header('Content-Type: application/json');
    echo json_encode([
        'success' => false,
        'error' => $e->getMessage()
    ]);
}
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`<?php`
			`// Disable error display in the output`
			`ini_set('display_errors', 0);`
			`error_reporting(E_ALL);`

Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`// Apply rate limiting`
			`require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';`
			`RateLimitMiddleware::apply('api');`

Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Start output buffering to capture any errors`
			`ob_start();`

			`try {`
			`// Include required files with proper error handling`
			`$configPath = dirname(__DIR__) . '/config/config.php';`
			`$commentModelPath = dirname(__DIR__) . '/models/CommentModel.php';`
SSO Update :) 2026-01-01 15:40:32 -05:00			`$auditLogModelPath = dirname(__DIR__) . '/models/AuditLogModel.php';`

Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`if (!file_exists($configPath)) {`
			`throw new Exception("Config file not found: $configPath");`
			`}`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`if (!file_exists($commentModelPath)) {`
			`throw new Exception("CommentModel file not found: $commentModelPath");`
			`}`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`require_once $configPath;`
			`require_once $commentModelPath;`
SSO Update :) 2026-01-01 15:40:32 -05:00			`require_once $auditLogModelPath;`

			`// Check authentication via session`
			`session_start();`
			`if (!isset($_SESSION['user']) \|\| !isset($_SESSION['user']['user_id'])) {`
			`throw new Exception("Authentication required");`
			`}`

feat: Add CSRF protection to critical API endpoints - Add CSRF validation to update_ticket.php - Add CSRF validation to add_comment.php - Add CSRF validation to bulk_operation.php - All POST/PUT requests now require valid CSRF token Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-09 12:32:34 -05:00			`// CSRF Protection`
			`require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST') {`
			`$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';`
			`if (!CsrfMiddleware::validateToken($csrfToken)) {`
			`http_response_code(403);`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);`
			`exit;`
			`}`
			`}`

SSO Update :) 2026-01-01 15:40:32 -05:00			`$currentUser = $_SESSION['user'];`
			`$userId = $currentUser['user_id'];`

Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Create database connection`
			`$conn = new mysqli(`
			`$GLOBALS['config']['DB_HOST'],`
			`$GLOBALS['config']['DB_USER'],`
			`$GLOBALS['config']['DB_PASS'],`
			`$GLOBALS['config']['DB_NAME']`
			`);`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`if ($conn->connect_error) {`
			`throw new Exception("Database connection failed: " . $conn->connect_error);`
			`}`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Get POST data`
			`$data = json_decode(file_get_contents('php://input'), true);`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`if (!$data) {`
			`throw new Exception("Invalid JSON data received");`
			`}`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`$ticketId = $data['ticket_id'];`
SSO Update :) 2026-01-01 15:40:32 -05:00
			`// Initialize models`
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`$commentModel = new CommentModel($conn);`
SSO Update :) 2026-01-01 15:40:32 -05:00			`$auditLog = new AuditLogModel($conn);`

Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`// Extract @mentions from comment text`
			`$mentions = $commentModel->extractMentions($data['comment_text'] ?? '');`
			`$mentionedUsers = [];`
			`if (!empty($mentions)) {`
			`$mentionedUsers = $commentModel->getMentionedUsers($mentions);`
			`}`

SSO Update :) 2026-01-01 15:40:32 -05:00			`// Add comment with user tracking`
			`$result = $commentModel->addComment($ticketId, $data, $userId);`

			`// Log comment creation to audit log`
			`if ($result['success'] && isset($result['comment_id'])) {`
			`$auditLog->logCommentCreate($userId, $result['comment_id'], $ticketId);`
Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00
			`// Log mentions to audit log`
			`foreach ($mentionedUsers as $mentionedUser) {`
			`$auditLog->log(`
			`$userId,`
			`'mention',`
			`'user',`
			`(string)$mentionedUser['user_id'],`
			`[`
			`'ticket_id' => $ticketId,`
			`'comment_id' => $result['comment_id'],`
			`'mentioned_username' => $mentionedUser['username']`
			`]`
			`);`
			`}`

			`// Add mentioned users to result for frontend`
			`$result['mentions'] = array_map(function($u) {`
			`return $u['username'];`
			`}, $mentionedUsers);`
SSO Update :) 2026-01-01 15:40:32 -05:00			`}`

Username not live updating & css overlap bug 2026-01-01 16:14:56 -05:00			`// Add user display name to result for frontend`
			`if ($result['success']) {`
			`$result['user_name'] = $currentUser['display_name'] ?? $currentUser['username'];`
			`}`

Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Discard any unexpected output`
			`ob_end_clean();`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Return JSON response`
			`header('Content-Type: application/json');`
			`echo json_encode($result);`

			`} catch (Exception $e) {`
			`// Discard any unexpected output`
			`ob_end_clean();`

			`// Return error response`
			`header('Content-Type: application/json');`
			`echo json_encode([`
			`'success' => false,`
			`'error' => $e->getMessage()`
			`]);`
			`}`