api/add_comment.php

<?php
// Disable error display in the output
ini_set('display_errors', 0);
error_reporting(E_ALL);

// Apply rate limiting
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

// Start output buffering to capture any errors
ob_start();

try {
    // Include required files with proper error handling
    $configPath = dirname(__DIR__) . '/config/config.php';
    $commentModelPath = dirname(__DIR__) . '/models/CommentModel.php';
    $auditLogModelPath = dirname(__DIR__) . '/models/AuditLogModel.php';

    if (!file_exists($configPath)) {
        throw new Exception("Config file not found: $configPath");
    }

    if (!file_exists($commentModelPath)) {
        throw new Exception("CommentModel file not found: $commentModelPath");
    }

    require_once $configPath;
    require_once $commentModelPath;
    require_once $auditLogModelPath;
    require_once dirname(__DIR__) . '/helpers/Database.php';
    require_once dirname(__DIR__) . '/models/TicketModel.php';
    require_once dirname(__DIR__) . '/helpers/NotificationHelper.php';
    require_once dirname(__DIR__) . '/helpers/SynapseHelper.php';

    // Check authentication via session
    if (session_status() === PHP_SESSION_NONE) {
        session_start();
    }
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        throw new Exception("Authentication required");
    }

    // CSRF Protection
    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!CsrfMiddleware::validateToken($csrfToken)) {
            http_response_code(403);
            header('Content-Type: application/json');
            echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
            exit;
        }
    }

    $currentUser = $_SESSION['user'];
    $userId = $currentUser['user_id'];

    // Use centralized database connection
    $conn = Database::getConnection();

    // Get POST data
    $data = json_decode(file_get_contents('php://input'), true);

    if (!$data) {
        throw new Exception("Invalid JSON data received");
    }

    $ticketId = isset($data['ticket_id']) ? trim((string)$data['ticket_id']) : '';
    if (!ctype_digit($ticketId) || (int)$ticketId <= 0) {
        http_response_code(400);
        ob_end_clean();
        header('Content-Type: application/json');
        echo json_encode(['success' => false, 'error' => 'Invalid ticket ID']);
        exit;
    }

    // Verify user can access the ticket before allowing a comment
    $ticketModel = new TicketModel($conn);
    $ticket = $ticketModel->getTicketById($ticketId);
    if (!$ticket) {
        http_response_code(404);
        ob_end_clean();
        header('Content-Type: application/json');
        echo json_encode(['success' => false, 'error' => 'Ticket not found']);
        exit;
    }
    if (!$ticketModel->canUserAccessTicket($ticket, $currentUser)) {
        http_response_code(403);
        ob_end_clean();
        header('Content-Type: application/json');
        echo json_encode(['success' => false, 'error' => 'Access denied']);
        exit;
    }

    // Initialize models
    $commentModel = new CommentModel($conn);
    $auditLog = new AuditLogModel($conn);

    // Extract @mentions from comment text
    $mentions = $commentModel->extractMentions($data['comment_text'] ?? '');
    $mentionedUsers = [];
    if (!empty($mentions)) {
        $mentionedUsers = $commentModel->getMentionedUsers($mentions);
    }

    // Add comment with user tracking
    $result = $commentModel->addComment($ticketId, $data, $userId);

    // Log comment creation to audit log
    if ($result['success'] && isset($result['comment_id'])) {
        $auditLog->logCommentCreate($userId, $result['comment_id'], $ticketId);

        // Log mentions to audit log
        foreach ($mentionedUsers as $mentionedUser) {
            $auditLog->log(
                $userId,
                'mention',
                'user',
                (string)$mentionedUser['user_id'],
                [
                    'ticket_id' => $ticketId,
                    'comment_id' => $result['comment_id'],
                    'mentioned_username' => $mentionedUser['username']
                ]
            );
        }

        // Matrix notifications
        $authorDisplay = $currentUser['display_name'] ?? $currentUser['username'] ?? null;
        $commentText   = $data['comment_text'] ?? '';
        $ticketTitle   = $ticket['title'] ?? "Ticket #{$ticketId}";

        // @mention notifications — resolve usernames → Matrix IDs via Synapse Admin API
        if (!empty($mentionedUsers)) {
            $mentionedUsernames = array_column($mentionedUsers, 'username');
            $mentionedMatrixIds = SynapseHelper::resolveUsernames($mentionedUsernames);
            if (!empty($mentionedMatrixIds)) {
                NotificationHelper::sendMentionNotification($ticketId, $ticketTitle, $commentText, $authorDisplay, $mentionedMatrixIds);
            }
        }

        // General comment notification (opt-in via MATRIX_NOTIFY_COMMENTS)
        if (!empty($GLOBALS['config']['MATRIX_NOTIFY_COMMENTS'])) {
            NotificationHelper::sendCommentNotification($ticketId, $ticketTitle, $commentText, $authorDisplay);
        }

        // Notify watchers of the new comment
        NotificationHelper::notifyWatchers(
            $conn, $ticketId, $ticketTitle, 'comment_added',
            ['author' => $authorDisplay, 'preview' => mb_strimwidth($commentText, 0, 200, '…')],
            (int)$userId
        );

        // Add mentioned users to result for frontend
        $result['mentions'] = array_map(function($u) {
            return $u['username'];
        }, $mentionedUsers);
    }

    // Add user info to result for frontend avatar rendering
    if ($result['success']) {
        $result['user_name'] = $currentUser['display_name'] ?? $currentUser['username'];
        $result['user_id']   = $userId;
    }

    // Discard any unexpected output
    ob_end_clean();

    // Return JSON response
    if ($result['success']) {
        http_response_code(201);
    }
    header('Content-Type: application/json');
    echo json_encode($result);

} catch (Exception $e) {
    // Discard any unexpected output
    ob_end_clean();

    // Log error details but don't expose to client
    error_log("Add comment API error: " . $e->getMessage());

    // Return error response
    http_response_code(500);
    header('Content-Type: application/json');
    echo json_encode([
        'success' => false,
        'error' => 'An internal error occurred'
    ]);
}
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`<?php`
			`// Disable error display in the output`
			`ini_set('display_errors', 0);`
			`error_reporting(E_ALL);`

Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`// Apply rate limiting`
			`require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';`
			`RateLimitMiddleware::apply('api');`

Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Start output buffering to capture any errors`
			`ob_start();`

			`try {`
			`// Include required files with proper error handling`
			`$configPath = dirname(__DIR__) . '/config/config.php';`
			`$commentModelPath = dirname(__DIR__) . '/models/CommentModel.php';`
SSO Update :) 2026-01-01 15:40:32 -05:00			`$auditLogModelPath = dirname(__DIR__) . '/models/AuditLogModel.php';`

Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`if (!file_exists($configPath)) {`
			`throw new Exception("Config file not found: $configPath");`
			`}`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`if (!file_exists($commentModelPath)) {`
			`throw new Exception("CommentModel file not found: $commentModelPath");`
			`}`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`require_once $configPath;`
			`require_once $commentModelPath;`
SSO Update :) 2026-01-01 15:40:32 -05:00			`require_once $auditLogModelPath;`
Add performance, security, and reliability improvements 2026-01-30 14:39:13 -05:00			`require_once dirname(__DIR__) . '/helpers/Database.php';`
Fix visibility enforcement and register missing API routes 2026-03-20 21:39:02 -04:00			`require_once dirname(__DIR__) . '/models/TicketModel.php';`
feat: comment pagination, Matrix integration, Synapse mention resolution 2026-03-29 21:34:16 -04:00			`require_once dirname(__DIR__) . '/helpers/NotificationHelper.php';`
			`require_once dirname(__DIR__) . '/helpers/SynapseHelper.php';`
SSO Update :) 2026-01-01 15:40:32 -05:00
			`// Check authentication via session`
Integrate web_template design system and fix security/quality issues 2026-03-17 23:22:24 -04:00			`if (session_status() === PHP_SESSION_NONE) {`
			`session_start();`
			`}`
SSO Update :) 2026-01-01 15:40:32 -05:00			`if (!isset($_SESSION['user']) \|\| !isset($_SESSION['user']['user_id'])) {`
			`throw new Exception("Authentication required");`
			`}`

feat: Add CSRF protection to critical API endpoints 2026-01-09 12:32:34 -05:00			`// CSRF Protection`
			`require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST') {`
			`$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';`
			`if (!CsrfMiddleware::validateToken($csrfToken)) {`
			`http_response_code(403);`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);`
			`exit;`
			`}`
			`}`

SSO Update :) 2026-01-01 15:40:32 -05:00			`$currentUser = $_SESSION['user'];`
			`$userId = $currentUser['user_id'];`

Add performance, security, and reliability improvements 2026-01-30 14:39:13 -05:00			`// Use centralized database connection`
			`$conn = Database::getConnection();`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Get POST data`
			`$data = json_decode(file_get_contents('php://input'), true);`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`if (!$data) {`
			`throw new Exception("Invalid JSON data received");`
			`}`
SSO Update :) 2026-01-01 15:40:32 -05:00
Fix leading-zero ticket ID handling across API and UI 2026-04-11 12:43:18 -04:00			`$ticketId = isset($data['ticket_id']) ? trim((string)$data['ticket_id']) : '';`
			`if (!ctype_digit($ticketId) \|\| (int)$ticketId <= 0) {`
Fix bracket buttons rendering below text + UI/security improvements 2026-03-19 22:20:43 -04:00			`http_response_code(400);`
			`ob_end_clean();`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'Invalid ticket ID']);`
			`exit;`
			`}`
SSO Update :) 2026-01-01 15:40:32 -05:00
Fix visibility enforcement and register missing API routes 2026-03-20 21:39:02 -04:00			`// Verify user can access the ticket before allowing a comment`
			`$ticketModel = new TicketModel($conn);`
			`$ticket = $ticketModel->getTicketById($ticketId);`
			`if (!$ticket) {`
			`http_response_code(404);`
			`ob_end_clean();`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'Ticket not found']);`
			`exit;`
			`}`
			`if (!$ticketModel->canUserAccessTicket($ticket, $currentUser)) {`
			`http_response_code(403);`
			`ob_end_clean();`
			`header('Content-Type: application/json');`
			`echo json_encode(['success' => false, 'error' => 'Access denied']);`
			`exit;`
			`}`

SSO Update :) 2026-01-01 15:40:32 -05:00			`// Initialize models`
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`$commentModel = new CommentModel($conn);`
SSO Update :) 2026-01-01 15:40:32 -05:00			`$auditLog = new AuditLogModel($conn);`

Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`// Extract @mentions from comment text`
			`$mentions = $commentModel->extractMentions($data['comment_text'] ?? '');`
			`$mentionedUsers = [];`
			`if (!empty($mentions)) {`
			`$mentionedUsers = $commentModel->getMentionedUsers($mentions);`
			`}`

SSO Update :) 2026-01-01 15:40:32 -05:00			`// Add comment with user tracking`
			`$result = $commentModel->addComment($ticketId, $data, $userId);`

			`// Log comment creation to audit log`
			`if ($result['success'] && isset($result['comment_id'])) {`
			`$auditLog->logCommentCreate($userId, $result['comment_id'], $ticketId);`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00
			`// Log mentions to audit log`
			`foreach ($mentionedUsers as $mentionedUser) {`
			`$auditLog->log(`
			`$userId,`
			`'mention',`
			`'user',`
			`(string)$mentionedUser['user_id'],`
			`[`
			`'ticket_id' => $ticketId,`
			`'comment_id' => $result['comment_id'],`
			`'mentioned_username' => $mentionedUser['username']`
			`]`
			`);`
			`}`

feat: comment pagination, Matrix integration, Synapse mention resolution 2026-03-29 21:34:16 -04:00			`// Matrix notifications`
			`$authorDisplay = $currentUser['display_name'] ?? $currentUser['username'] ?? null;`
			`$commentText = $data['comment_text'] ?? '';`
			`$ticketTitle = $ticket['title'] ?? "Ticket #{$ticketId}";`

			`// @mention notifications — resolve usernames → Matrix IDs via Synapse Admin API`
			`if (!empty($mentionedUsers)) {`
			`$mentionedUsernames = array_column($mentionedUsers, 'username');`
			`$mentionedMatrixIds = SynapseHelper::resolveUsernames($mentionedUsernames);`
			`if (!empty($mentionedMatrixIds)) {`
			`NotificationHelper::sendMentionNotification($ticketId, $ticketTitle, $commentText, $authorDisplay, $mentionedMatrixIds);`
			`}`
			`}`

			`// General comment notification (opt-in via MATRIX_NOTIFY_COMMENTS)`
			`if (!empty($GLOBALS['config']['MATRIX_NOTIFY_COMMENTS'])) {`
			`NotificationHelper::sendCommentNotification($ticketId, $ticketTitle, $commentText, $authorDisplay);`
			`}`

feat: ticket watchers, fulltext search, single-query pagination, watcher notifications 2026-03-29 22:00:32 -04:00			`// Notify watchers of the new comment`
			`NotificationHelper::notifyWatchers(`
			`$conn, $ticketId, $ticketTitle, 'comment_added',`
			`['author' => $authorDisplay, 'preview' => mb_strimwidth($commentText, 0, 200, '…')],`
			`(int)$userId`
			`);`

Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`// Add mentioned users to result for frontend`
			`$result['mentions'] = array_map(function($u) {`
			`return $u['username'];`
			`}, $mentionedUsers);`
SSO Update :) 2026-01-01 15:40:32 -05:00			`}`

Fix comment avatar, activity log labels, and ticket update permissions 2026-04-06 22:37:53 -04:00			`// Add user info to result for frontend avatar rendering`
Username not live updating & css overlap bug 2026-01-01 16:14:56 -05:00			`if ($result['success']) {`
			`$result['user_name'] = $currentUser['display_name'] ?? $currentUser['username'];`
Fix comment avatar, activity log labels, and ticket update permissions 2026-04-06 22:37:53 -04:00			`$result['user_id'] = $userId;`
Username not live updating & css overlap bug 2026-01-01 16:14:56 -05:00			`}`

Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Discard any unexpected output`
			`ob_end_clean();`
SSO Update :) 2026-01-01 15:40:32 -05:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Return JSON response`
Security/correctness: visibility filtering, Content-Type headers, group validation 2026-03-29 18:23:16 -04:00			`if ($result['success']) {`
			`http_response_code(201);`
			`}`
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`header('Content-Type: application/json');`
			`echo json_encode($result);`
Security/correctness: visibility filtering, Content-Type headers, group validation 2026-03-29 18:23:16 -04:00
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`} catch (Exception $e) {`
			`// Discard any unexpected output`
			`ob_end_clean();`
Fix error message disclosure in API endpoints 2026-01-30 18:56:29 -05:00
			`// Log error details but don't expose to client`
			`error_log("Add comment API error: " . $e->getMessage());`

Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`// Return error response`
Security/correctness: visibility filtering, Content-Type headers, group validation 2026-03-29 18:23:16 -04:00			`http_response_code(500);`
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`header('Content-Type: application/json');`
			`echo json_encode([`
			`'success' => false,`
Fix error message disclosure in API endpoints 2026-01-30 18:56:29 -05:00			`'error' => 'An internal error occurred'`
Re-did everything, Now is modulaar and better bro. 2025-05-16 20:02:49 -04:00			`]);`
			`}`