tinker_tickets/api/assign_ticket.php

<?php
// Apply rate limiting
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

session_start();
require_once dirname(__DIR__) . '/config/config.php';
require_once dirname(__DIR__) . '/models/TicketModel.php';
require_once dirname(__DIR__) . '/models/AuditLogModel.php';
require_once dirname(__DIR__) . '/models/UserModel.php';

header('Content-Type: application/json');

// Check authentication
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
    echo json_encode(['success' => false, 'error' => 'Not authenticated']);
    exit;
}

// CSRF Protection
require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
    if (!CsrfMiddleware::validateToken($csrfToken)) {
        http_response_code(403);
        echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
        exit;
    }
}

$userId = $_SESSION['user']['user_id'];

// Get request data
$data = json_decode(file_get_contents('php://input'), true);
$ticketId = $data['ticket_id'] ?? null;
$assignedTo = $data['assigned_to'] ?? null;

if (!$ticketId) {
    echo json_encode(['success' => false, 'error' => 'Ticket ID required']);
    exit;
}

// Create database connection
$conn = new mysqli(
    $GLOBALS['config']['DB_HOST'],
    $GLOBALS['config']['DB_USER'],
    $GLOBALS['config']['DB_PASS'],
    $GLOBALS['config']['DB_NAME']
);

if ($conn->connect_error) {
    echo json_encode(['success' => false, 'error' => 'Database connection failed']);
    exit;
}

$ticketModel = new TicketModel($conn);
$auditLogModel = new AuditLogModel($conn);
$userModel = new UserModel($conn);

if ($assignedTo === null || $assignedTo === '') {
    // Unassign ticket
    $success = $ticketModel->unassignTicket($ticketId, $userId);
    if ($success) {
        $auditLogModel->log($userId, 'unassign', 'ticket', $ticketId);
    }
} else {
    // Validate assigned_to is a valid user ID
    $assignedTo = (int)$assignedTo;
    $targetUser = $userModel->getUserById($assignedTo);
    if (!$targetUser) {
        echo json_encode(['success' => false, 'error' => 'Invalid user ID']);
        $conn->close();
        exit;
    }

    // Assign ticket
    $success = $ticketModel->assignTicket($ticketId, $assignedTo, $userId);
    if ($success) {
        $auditLogModel->log($userId, 'assign', 'ticket', $ticketId, ['assigned_to' => $assignedTo]);
    }
}

$conn->close();

echo json_encode(['success' => $success]);