api/bulk_operation.php

<?php
// Apply rate limiting
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

session_start();
require_once dirname(__DIR__) . '/config/config.php';
require_once dirname(__DIR__) . '/helpers/Database.php';
require_once dirname(__DIR__) . '/models/BulkOperationsModel.php';
require_once dirname(__DIR__) . '/models/TicketModel.php';
require_once dirname(__DIR__) . '/models/AuditLogModel.php';

header('Content-Type: application/json');

// Check authentication
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
    echo json_encode(['success' => false, 'error' => 'Not authenticated']);
    exit;
}

// CSRF Protection
require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
    if (!CsrfMiddleware::validateToken($csrfToken)) {
        http_response_code(403);
        echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
        exit;
    }
}

// Check admin status - bulk operations are admin-only
$isAdmin = $_SESSION['user']['is_admin'] ?? false;
if (!$isAdmin) {
    echo json_encode(['success' => false, 'error' => 'Admin access required']);
    exit;
}

// Get request data
$data = json_decode(file_get_contents('php://input'), true);
$operationType = $data['operation_type'] ?? null;
$ticketIds = $data['ticket_ids'] ?? [];
$parameters = $data['parameters'] ?? null;

// Validate input
if (!$operationType || empty($ticketIds)) {
    echo json_encode(['success' => false, 'error' => 'Operation type and ticket IDs required']);
    exit;
}

// Validate ticket IDs are integers
foreach ($ticketIds as $ticketId) {
    if (!is_numeric($ticketId)) {
        echo json_encode(['success' => false, 'error' => 'Invalid ticket ID format']);
        exit;
    }
}

// Use centralized database connection
$conn = Database::getConnection();

$bulkOpsModel = new BulkOperationsModel($conn);
$ticketModel = new TicketModel($conn);

// Verify user can access all tickets in the bulk operation
// (Admins can access all, but this is defense-in-depth)
$accessibleTicketIds = [];
$inaccessibleCount = 0;
$tickets = $ticketModel->getTicketsByIds($ticketIds);

foreach ($ticketIds as $ticketId) {
    $ticketId = trim($ticketId);
    $ticket = $tickets[$ticketId] ?? null;

    if ($ticket && $ticketModel->canUserAccessTicket($ticket, $_SESSION['user'])) {
        $accessibleTicketIds[] = $ticketId;
    } else {
        $inaccessibleCount++;
    }
}

if (empty($accessibleTicketIds)) {
    echo json_encode(['success' => false, 'error' => 'No accessible tickets in selection']);
    exit;
}

// Use only accessible ticket IDs
$ticketIds = $accessibleTicketIds;

// Create bulk operation record
$operationId = $bulkOpsModel->createBulkOperation($operationType, $ticketIds, $_SESSION['user']['user_id'], $parameters);

if (!$operationId) {
    echo json_encode(['success' => false, 'error' => 'Failed to create bulk operation']);
    exit;
}

// Process the bulk operation
$result = $bulkOpsModel->processBulkOperation($operationId);

$conn->close();

if (isset($result['error'])) {
    echo json_encode([
        'success' => false,
        'error' => $result['error']
    ]);
} else {
    $message = "Bulk operation completed: {$result['processed']} succeeded, {$result['failed']} failed";
    if ($inaccessibleCount > 0) {
        $message .= " ($inaccessibleCount skipped - no access)";
    }
    echo json_encode([
        'success' => true,
        'operation_id' => $operationId,
        'processed' => $result['processed'],
        'failed' => $result['failed'],
        'skipped' => $inaccessibleCount,
        'message' => $message
    ]);
}
Feature 5: Implement Bulk Actions (Admin Only) Add comprehensive bulk operations system for admins: - Created BulkOperationsModel.php with operation tracking and processing - Added bulk_operation.php API endpoint for bulk operations - Created get_users.php API endpoint for user dropdown in bulk assign - Updated DashboardView.php with checkboxes and bulk actions toolbar - Added JavaScript functions for: - Select all/clear selection - Bulk close tickets - Bulk assign tickets - Bulk change priority - Added comprehensive CSS for bulk actions toolbar and modals - All bulk operations are admin-only (enforced server-side) - Operations tracked in bulk_operations table with audit logging - Supports bulk_close, bulk_assign, and bulk_priority operations Admins can now select multiple tickets and perform batch operations, significantly improving workflow efficiency. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-01 19:06:33 -05:00			`<?php`
Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`// Apply rate limiting`
			`require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';`
			`RateLimitMiddleware::apply('api');`

Feature 5: Implement Bulk Actions (Admin Only) Add comprehensive bulk operations system for admins: - Created BulkOperationsModel.php with operation tracking and processing - Added bulk_operation.php API endpoint for bulk operations - Created get_users.php API endpoint for user dropdown in bulk assign - Updated DashboardView.php with checkboxes and bulk actions toolbar - Added JavaScript functions for: - Select all/clear selection - Bulk close tickets - Bulk assign tickets - Bulk change priority - Added comprehensive CSS for bulk actions toolbar and modals - All bulk operations are admin-only (enforced server-side) - Operations tracked in bulk_operations table with audit logging - Supports bulk_close, bulk_assign, and bulk_priority operations Admins can now select multiple tickets and perform batch operations, significantly improving workflow efficiency. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-01 19:06:33 -05:00			`session_start();`
Fix: Critical API and dark mode issues Fixed multiple critical issues reported by user: 1. API Configuration Errors: - Fixed all API files to use correct config path (config/config.php instead of config/db.php) - Fixed: get_users.php (bulk assign dropdown now loads users) - Fixed: get_template.php (templates now load correctly) - Fixed: bulk_operation.php (bulk operations now work) - Fixed: assign_ticket.php (manual assignment now works) 2. Dark Mode Improvements: - Added dark mode support for Activity tab content - Ensured proper text and background colors in dark mode All APIs now properly: - Load configuration from config/config.php - Use correct session variables ($_SESSION['user']['user_id']) - Create and close database connections properly - Return proper JSON responses 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-01 19:18:57 -05:00			`require_once dirname(__DIR__) . '/config/config.php';`
Add performance, security, and reliability improvements - Consolidate all 20 API files to use centralized Database helper - Add optimistic locking to ticket updates to prevent concurrent conflicts - Add caching to StatsModel (60s TTL) for dashboard performance - Add health check endpoint (api/health.php) for monitoring - Improve rate limit cleanup with cron script and efficient DirectoryIterator - Enable rate limit response headers (X-RateLimit-*) - Add audit logging for workflow transitions - Log Discord webhook failures instead of silencing - Fix visibility check on export_tickets.php - Add database migration system with performance indexes - Fix cron recurring tickets to use assignTicket method Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 14:39:13 -05:00			`require_once dirname(__DIR__) . '/helpers/Database.php';`
Feature 5: Implement Bulk Actions (Admin Only) Add comprehensive bulk operations system for admins: - Created BulkOperationsModel.php with operation tracking and processing - Added bulk_operation.php API endpoint for bulk operations - Created get_users.php API endpoint for user dropdown in bulk assign - Updated DashboardView.php with checkboxes and bulk actions toolbar - Added JavaScript functions for: - Select all/clear selection - Bulk close tickets - Bulk assign tickets - Bulk change priority - Added comprehensive CSS for bulk actions toolbar and modals - All bulk operations are admin-only (enforced server-side) - Operations tracked in bulk_operations table with audit logging - Supports bulk_close, bulk_assign, and bulk_priority operations Admins can now select multiple tickets and perform batch operations, significantly improving workflow efficiency. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-01 19:06:33 -05:00			`require_once dirname(__DIR__) . '/models/BulkOperationsModel.php';`
			`require_once dirname(__DIR__) . '/models/TicketModel.php';`
			`require_once dirname(__DIR__) . '/models/AuditLogModel.php';`

			`header('Content-Type: application/json');`

			`// Check authentication`
			`if (!isset($_SESSION['user']) \|\| !isset($_SESSION['user']['user_id'])) {`
			`echo json_encode(['success' => false, 'error' => 'Not authenticated']);`
			`exit;`
			`}`

feat: Add CSRF protection to critical API endpoints - Add CSRF validation to update_ticket.php - Add CSRF validation to add_comment.php - Add CSRF validation to bulk_operation.php - All POST/PUT requests now require valid CSRF token Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-09 12:32:34 -05:00			`// CSRF Protection`
			`require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST') {`
			`$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';`
			`if (!CsrfMiddleware::validateToken($csrfToken)) {`
			`http_response_code(403);`
			`echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);`
			`exit;`
			`}`
			`}`

Feature 5: Implement Bulk Actions (Admin Only) Add comprehensive bulk operations system for admins: - Created BulkOperationsModel.php with operation tracking and processing - Added bulk_operation.php API endpoint for bulk operations - Created get_users.php API endpoint for user dropdown in bulk assign - Updated DashboardView.php with checkboxes and bulk actions toolbar - Added JavaScript functions for: - Select all/clear selection - Bulk close tickets - Bulk assign tickets - Bulk change priority - Added comprehensive CSS for bulk actions toolbar and modals - All bulk operations are admin-only (enforced server-side) - Operations tracked in bulk_operations table with audit logging - Supports bulk_close, bulk_assign, and bulk_priority operations Admins can now select multiple tickets and perform batch operations, significantly improving workflow efficiency. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-01 19:06:33 -05:00			`// Check admin status - bulk operations are admin-only`
			`$isAdmin = $_SESSION['user']['is_admin'] ?? false;`
			`if (!$isAdmin) {`
			`echo json_encode(['success' => false, 'error' => 'Admin access required']);`
			`exit;`
			`}`

			`// Get request data`
			`$data = json_decode(file_get_contents('php://input'), true);`
			`$operationType = $data['operation_type'] ?? null;`
			`$ticketIds = $data['ticket_ids'] ?? [];`
			`$parameters = $data['parameters'] ?? null;`

			`// Validate input`
			`if (!$operationType \|\| empty($ticketIds)) {`
			`echo json_encode(['success' => false, 'error' => 'Operation type and ticket IDs required']);`
			`exit;`
			`}`

			`// Validate ticket IDs are integers`
			`foreach ($ticketIds as $ticketId) {`
			`if (!is_numeric($ticketId)) {`
			`echo json_encode(['success' => false, 'error' => 'Invalid ticket ID format']);`
			`exit;`
			`}`
			`}`

Add performance, security, and reliability improvements - Consolidate all 20 API files to use centralized Database helper - Add optimistic locking to ticket updates to prevent concurrent conflicts - Add caching to StatsModel (60s TTL) for dashboard performance - Add health check endpoint (api/health.php) for monitoring - Improve rate limit cleanup with cron script and efficient DirectoryIterator - Enable rate limit response headers (X-RateLimit-*) - Add audit logging for workflow transitions - Log Discord webhook failures instead of silencing - Fix visibility check on export_tickets.php - Add database migration system with performance indexes - Fix cron recurring tickets to use assignTicket method Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 14:39:13 -05:00			`// Use centralized database connection`
			`$conn = Database::getConnection();`
Feature 5: Implement Bulk Actions (Admin Only) Add comprehensive bulk operations system for admins: - Created BulkOperationsModel.php with operation tracking and processing - Added bulk_operation.php API endpoint for bulk operations - Created get_users.php API endpoint for user dropdown in bulk assign - Updated DashboardView.php with checkboxes and bulk actions toolbar - Added JavaScript functions for: - Select all/clear selection - Bulk close tickets - Bulk assign tickets - Bulk change priority - Added comprehensive CSS for bulk actions toolbar and modals - All bulk operations are admin-only (enforced server-side) - Operations tracked in bulk_operations table with audit logging - Supports bulk_close, bulk_assign, and bulk_priority operations Admins can now select multiple tickets and perform batch operations, significantly improving workflow efficiency. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-01 19:06:33 -05:00
			`$bulkOpsModel = new BulkOperationsModel($conn);`
Security hardening and performance improvements - Add visibility check to attachment downloads (prevents unauthorized access) - Fix ticket ID collision with uniqueness verification loop - Harden CSP: replace unsafe-inline with nonce-based script execution - Add IP-based rate limiting (supplements session-based) - Add visibility checks to bulk operations - Validate internal visibility requires groups - Optimize user activity query (JOINs vs subqueries) - Update documentation with design decisions and security info Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 20:27:15 -05:00			`$ticketModel = new TicketModel($conn);`

			`// Verify user can access all tickets in the bulk operation`
			`// (Admins can access all, but this is defense-in-depth)`
			`$accessibleTicketIds = [];`
			`$inaccessibleCount = 0;`
			`$tickets = $ticketModel->getTicketsByIds($ticketIds);`

			`foreach ($ticketIds as $ticketId) {`
			`$ticketId = trim($ticketId);`
			`$ticket = $tickets[$ticketId] ?? null;`

			`if ($ticket && $ticketModel->canUserAccessTicket($ticket, $_SESSION['user'])) {`
			`$accessibleTicketIds[] = $ticketId;`
			`} else {`
			`$inaccessibleCount++;`
			`}`
			`}`

			`if (empty($accessibleTicketIds)) {`
			`echo json_encode(['success' => false, 'error' => 'No accessible tickets in selection']);`
			`exit;`
			`}`

			`// Use only accessible ticket IDs`
			`$ticketIds = $accessibleTicketIds;`
Feature 5: Implement Bulk Actions (Admin Only) Add comprehensive bulk operations system for admins: - Created BulkOperationsModel.php with operation tracking and processing - Added bulk_operation.php API endpoint for bulk operations - Created get_users.php API endpoint for user dropdown in bulk assign - Updated DashboardView.php with checkboxes and bulk actions toolbar - Added JavaScript functions for: - Select all/clear selection - Bulk close tickets - Bulk assign tickets - Bulk change priority - Added comprehensive CSS for bulk actions toolbar and modals - All bulk operations are admin-only (enforced server-side) - Operations tracked in bulk_operations table with audit logging - Supports bulk_close, bulk_assign, and bulk_priority operations Admins can now select multiple tickets and perform batch operations, significantly improving workflow efficiency. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-01 19:06:33 -05:00
			`// Create bulk operation record`
			`$operationId = $bulkOpsModel->createBulkOperation($operationType, $ticketIds, $_SESSION['user']['user_id'], $parameters);`

			`if (!$operationId) {`
			`echo json_encode(['success' => false, 'error' => 'Failed to create bulk operation']);`
			`exit;`
			`}`

			`// Process the bulk operation`
			`$result = $bulkOpsModel->processBulkOperation($operationId);`

			`$conn->close();`

			`if (isset($result['error'])) {`
			`echo json_encode([`
			`'success' => false,`
			`'error' => $result['error']`
			`]);`
			`} else {`
Security hardening and performance improvements - Add visibility check to attachment downloads (prevents unauthorized access) - Fix ticket ID collision with uniqueness verification loop - Harden CSP: replace unsafe-inline with nonce-based script execution - Add IP-based rate limiting (supplements session-based) - Add visibility checks to bulk operations - Validate internal visibility requires groups - Optimize user activity query (JOINs vs subqueries) - Update documentation with design decisions and security info Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 20:27:15 -05:00			`$message = "Bulk operation completed: {$result['processed']} succeeded, {$result['failed']} failed";`
			`if ($inaccessibleCount > 0) {`
			`$message .= " ($inaccessibleCount skipped - no access)";`
			`}`
Feature 5: Implement Bulk Actions (Admin Only) Add comprehensive bulk operations system for admins: - Created BulkOperationsModel.php with operation tracking and processing - Added bulk_operation.php API endpoint for bulk operations - Created get_users.php API endpoint for user dropdown in bulk assign - Updated DashboardView.php with checkboxes and bulk actions toolbar - Added JavaScript functions for: - Select all/clear selection - Bulk close tickets - Bulk assign tickets - Bulk change priority - Added comprehensive CSS for bulk actions toolbar and modals - All bulk operations are admin-only (enforced server-side) - Operations tracked in bulk_operations table with audit logging - Supports bulk_close, bulk_assign, and bulk_priority operations Admins can now select multiple tickets and perform batch operations, significantly improving workflow efficiency. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-01 19:06:33 -05:00			`echo json_encode([`
			`'success' => true,`
			`'operation_id' => $operationId,`
			`'processed' => $result['processed'],`
			`'failed' => $result['failed'],`
Security hardening and performance improvements - Add visibility check to attachment downloads (prevents unauthorized access) - Fix ticket ID collision with uniqueness verification loop - Harden CSP: replace unsafe-inline with nonce-based script execution - Add IP-based rate limiting (supplements session-based) - Add visibility checks to bulk operations - Validate internal visibility requires groups - Optimize user activity query (JOINs vs subqueries) - Update documentation with design decisions and security info Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 20:27:15 -05:00			`'skipped' => $inaccessibleCount,`
			`'message' => $message`
Feature 5: Implement Bulk Actions (Admin Only) Add comprehensive bulk operations system for admins: - Created BulkOperationsModel.php with operation tracking and processing - Added bulk_operation.php API endpoint for bulk operations - Created get_users.php API endpoint for user dropdown in bulk assign - Updated DashboardView.php with checkboxes and bulk actions toolbar - Added JavaScript functions for: - Select all/clear selection - Bulk close tickets - Bulk assign tickets - Bulk change priority - Added comprehensive CSS for bulk actions toolbar and modals - All bulk operations are admin-only (enforced server-side) - Operations tracked in bulk_operations table with audit logging - Supports bulk_close, bulk_assign, and bulk_priority operations Admins can now select multiple tickets and perform batch operations, significantly improving workflow efficiency. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-01 19:06:33 -05:00			`]);`
			`}`