api/add_comment.php

<?php
// Disable error display in the output
ini_set('display_errors', 0);
error_reporting(E_ALL);

// Apply rate limiting
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

// Start output buffering to capture any errors
ob_start();

try {
    // Include required files with proper error handling
    $configPath = dirname(__DIR__) . '/config/config.php';
    $commentModelPath = dirname(__DIR__) . '/models/CommentModel.php';
    $auditLogModelPath = dirname(__DIR__) . '/models/AuditLogModel.php';

    if (!file_exists($configPath)) {
        throw new Exception("Config file not found: $configPath");
    }

    if (!file_exists($commentModelPath)) {
        throw new Exception("CommentModel file not found: $commentModelPath");
    }

    require_once $configPath;
    require_once $commentModelPath;
    require_once $auditLogModelPath;
    require_once dirname(__DIR__) . '/helpers/Database.php';

    // Check authentication via session
    if (session_status() === PHP_SESSION_NONE) {
        session_start();
    }
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        throw new Exception("Authentication required");
    }

    // CSRF Protection
    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!CsrfMiddleware::validateToken($csrfToken)) {
            http_response_code(403);
            header('Content-Type: application/json');
            echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
            exit;
        }
    }

    $currentUser = $_SESSION['user'];
    $userId = $currentUser['user_id'];

    // Use centralized database connection
    $conn = Database::getConnection();

    // Get POST data
    $data = json_decode(file_get_contents('php://input'), true);

    if (!$data) {
        throw new Exception("Invalid JSON data received");
    }

    $ticketId = $data['ticket_id'];

    // Initialize models
    $commentModel = new CommentModel($conn);
    $auditLog = new AuditLogModel($conn);

    // Extract @mentions from comment text
    $mentions = $commentModel->extractMentions($data['comment_text'] ?? '');
    $mentionedUsers = [];
    if (!empty($mentions)) {
        $mentionedUsers = $commentModel->getMentionedUsers($mentions);
    }

    // Add comment with user tracking
    $result = $commentModel->addComment($ticketId, $data, $userId);

    // Log comment creation to audit log
    if ($result['success'] && isset($result['comment_id'])) {
        $auditLog->logCommentCreate($userId, $result['comment_id'], $ticketId);

        // Log mentions to audit log
        foreach ($mentionedUsers as $mentionedUser) {
            $auditLog->log(
                $userId,
                'mention',
                'user',
                (string)$mentionedUser['user_id'],
                [
                    'ticket_id' => $ticketId,
                    'comment_id' => $result['comment_id'],
                    'mentioned_username' => $mentionedUser['username']
                ]
            );
        }

        // Add mentioned users to result for frontend
        $result['mentions'] = array_map(function($u) {
            return $u['username'];
        }, $mentionedUsers);
    }

    // Add user display name to result for frontend
    if ($result['success']) {
        $result['user_name'] = $currentUser['display_name'] ?? $currentUser['username'];
    }

    // Discard any unexpected output
    ob_end_clean();

    // Return JSON response
    header('Content-Type: application/json');
    echo json_encode($result);
    
} catch (Exception $e) {
    // Discard any unexpected output
    ob_end_clean();

    // Log error details but don't expose to client
    error_log("Add comment API error: " . $e->getMessage());

    // Return error response
    header('Content-Type: application/json');
    echo json_encode([
        'success' => false,
        'error' => 'An internal error occurred'
    ]);
}
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`<?php`
			`// Disable error display in the output`
			`ini_set('display_errors', 0);`
			`error_reporting(E_ALL);`

Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`// Apply rate limiting`
			`require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';`
			`RateLimitMiddleware::apply('api');`

Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Start output buffering to capture any errors`
			`ob_start();`

			`try {`
			`// Include required files with proper error handling`
			`$configPath = dirname(__DIR__) . '/config/config.php';`
			`$commentModelPath = dirname(__DIR__) . '/models/CommentModel.php';`
SSO Update :) 2026-01-01 15:40:32 -05:00			`$auditLogModelPath = dirname(__DIR__) . '/models/AuditLogModel.php';`

Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`if (!file_exists($configPath)) {`
			`throw new Exception("Config file not found: $configPath");`
			`}`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`if (!file_exists($commentModelPath)) {`
			`throw new Exception("CommentModel file not found: $commentModelPath");`
			`}`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`require_once $configPath;`
			`require_once $commentModelPath;`
SSO Update :) 2026-01-01 15:40:32 -05:00			`require_once $auditLogModelPath;`
Add performance, security, and reliability improvements - Consolidate all 20 API files to use centralized Database helper - Add optimistic locking to ticket updates to prevent concurrent conflicts - Add caching to StatsModel (60s TTL) for dashboard performance - Add health check endpoint (api/health.php) for monitoring - Improve rate limit cleanup with cron script and efficient DirectoryIterator - Enable rate limit response headers (X-RateLimit-*) - Add audit logging for workflow transitions - Log Discord webhook failures instead of silencing - Fix visibility check on export_tickets.php - Add database migration system with performance indexes - Fix cron recurring tickets to use assignTicket method Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 14:39:13 -05:00			`require_once dirname(__DIR__) . '/helpers/Database.php';`
SSO Update :) 2026-01-01 15:40:32 -05:00
			`// Check authentication via session`
Integrate web_template design system and fix security/quality issues Security fixes: - Add HTTP method validation to delete_comment.php (block CSRF via GET) - Remove $_GET fallback in comment deletion (was CSRF bypass vector) - Guard session_start() with session_status() check across API files - Escape json_encode() data attributes with htmlspecialchars in views - Escape inline APP_TIMEZONE config values in DashboardView/TicketView - Validate timezone param against DateTimeZone::listIdentifiers() in index.php - Remove Database::escape() (was using real_escape_string, not safe) - Fix AttachmentModel hardcoded connection; inject via constructor Backend fixes: - Fix CommentModel bind_param type for ticket_id (s→i) - Fix buildCommentThread orphan parent guard - Fix StatsModel JOIN→LEFT JOIN so unassigned tickets aren't excluded - Add ticket ID validation in BulkOperationsModel before implode() - Add duplicate key retry in TicketModel::createTicket() for race conditions - Wrap SavedFiltersModel default filter changes in transactions - Add null result guards in WorkflowModel query methods Frontend JS: - Rewrite toast.js as lt.toast shim (base.js dependency) - Delegate escapeHtml() to lt.escHtml() - Rewrite keyboard-shortcuts.js using lt.keys.on() - Migrate settings.js to lt.api.* and lt.modal.open/close() - Migrate advanced-search.js to lt.api.* and lt.modal.open/close() - Migrate dashboard.js fetch calls to lt.api.*; update all dynamic modals (bulk ops, quick actions, confirm/input) to lt-modal structure - Migrate ticket.js fetchMentionUsers to lt.api.get() - Remove console.log/error/warn calls from JS files Views: - Add /web_template/base.css and base.js to all 10 view files - Call lt.keys.initDefaults() in DashboardView, TicketView, admin views - Migrate all modal HTML from settings-modal/settings-content to lt-modal-overlay/lt-modal/lt-modal-header/lt-modal-body/lt-modal-footer - Replace style="display:none" with aria-hidden="true" on all modals - Replace modal open/close style.display with lt.modal.open/close() - Update modal buttons to lt-btn lt-btn-primary/lt-btn-ghost classes - Remove manual ESC keydown handlers (replaced by lt.keys.initDefaults) - Fix unescaped timezone values in TicketView inline script Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-17 23:22:24 -04:00			`if (session_status() === PHP_SESSION_NONE) {`
			`session_start();`
			`}`
SSO Update :) 2026-01-01 15:40:32 -05:00			`if (!isset($_SESSION['user']) \|\| !isset($_SESSION['user']['user_id'])) {`
			`throw new Exception("Authentication required");`
			`}`

feat: Add CSRF protection to critical API endpoints - Add CSRF validation to update_ticket.php - Add CSRF validation to add_comment.php - Add CSRF validation to bulk_operation.php - All POST/PUT requests now require valid CSRF token Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-09 12:32:34 -05:00			`// CSRF Protection`
			`require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST') {`
			`$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';`
			`if (!CsrfMiddleware::validateToken($csrfToken)) {`
			`http_response_code(403);`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);`
			`exit;`
			`}`
			`}`

SSO Update :) 2026-01-01 15:40:32 -05:00			`$currentUser = $_SESSION['user'];`
			`$userId = $currentUser['user_id'];`

Add performance, security, and reliability improvements - Consolidate all 20 API files to use centralized Database helper - Add optimistic locking to ticket updates to prevent concurrent conflicts - Add caching to StatsModel (60s TTL) for dashboard performance - Add health check endpoint (api/health.php) for monitoring - Improve rate limit cleanup with cron script and efficient DirectoryIterator - Enable rate limit response headers (X-RateLimit-*) - Add audit logging for workflow transitions - Log Discord webhook failures instead of silencing - Fix visibility check on export_tickets.php - Add database migration system with performance indexes - Fix cron recurring tickets to use assignTicket method Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 14:39:13 -05:00			`// Use centralized database connection`
			`$conn = Database::getConnection();`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Get POST data`
			`$data = json_decode(file_get_contents('php://input'), true);`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`if (!$data) {`
			`throw new Exception("Invalid JSON data received");`
			`}`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`$ticketId = $data['ticket_id'];`
SSO Update :) 2026-01-01 15:40:32 -05:00
			`// Initialize models`
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`$commentModel = new CommentModel($conn);`
SSO Update :) 2026-01-01 15:40:32 -05:00			`$auditLog = new AuditLogModel($conn);`

Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`// Extract @mentions from comment text`
			`$mentions = $commentModel->extractMentions($data['comment_text'] ?? '');`
			`$mentionedUsers = [];`
			`if (!empty($mentions)) {`
			`$mentionedUsers = $commentModel->getMentionedUsers($mentions);`
			`}`

SSO Update :) 2026-01-01 15:40:32 -05:00			`// Add comment with user tracking`
			`$result = $commentModel->addComment($ticketId, $data, $userId);`

			`// Log comment creation to audit log`
			`if ($result['success'] && isset($result['comment_id'])) {`
			`$auditLog->logCommentCreate($userId, $result['comment_id'], $ticketId);`
Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00
			`// Log mentions to audit log`
			`foreach ($mentionedUsers as $mentionedUser) {`
			`$auditLog->log(`
			`$userId,`
			`'mention',`
			`'user',`
			`(string)$mentionedUser['user_id'],`
			`[`
			`'ticket_id' => $ticketId,`
			`'comment_id' => $result['comment_id'],`
			`'mentioned_username' => $mentionedUser['username']`
			`]`
			`);`
			`}`

			`// Add mentioned users to result for frontend`
			`$result['mentions'] = array_map(function($u) {`
			`return $u['username'];`
			`}, $mentionedUsers);`
SSO Update :) 2026-01-01 15:40:32 -05:00			`}`

Username not live updating & css overlap bug 2026-01-01 16:14:56 -05:00			`// Add user display name to result for frontend`
			`if ($result['success']) {`
			`$result['user_name'] = $currentUser['display_name'] ?? $currentUser['username'];`
			`}`

Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Discard any unexpected output`
			`ob_end_clean();`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Return JSON response`
			`header('Content-Type: application/json');`
			`echo json_encode($result);`

			`} catch (Exception $e) {`
			`// Discard any unexpected output`
			`ob_end_clean();`
Fix error message disclosure in API endpoints Replace exception getMessage() exposure with generic error messages to prevent internal information disclosure. Errors are now logged with full details while clients receive sanitized responses. Affected endpoints: - add_comment, update_comment, delete_comment - update_ticket, export_tickets - generate_api_key, revoke_api_key - manage_templates, manage_workflows, manage_recurring - custom_fields, get_users Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 18:56:29 -05:00
			`// Log error details but don't expose to client`
			`error_log("Add comment API error: " . $e->getMessage());`

Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Return error response`
			`header('Content-Type: application/json');`
			`echo json_encode([`
			`'success' => false,`
Fix error message disclosure in API endpoints Replace exception getMessage() exposure with generic error messages to prevent internal information disclosure. Errors are now logged with full details while clients receive sanitized responses. Affected endpoints: - add_comment, update_comment, delete_comment - update_ticket, export_tickets - generate_api_key, revoke_api_key - manage_templates, manage_workflows, manage_recurring - custom_fields, get_users Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 18:56:29 -05:00			`'error' => 'An internal error occurred'`
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`]);`
			`}`