Fix visibility enforcement and register missing API routes

Security fixes: - add_comment.php: verify canUserAccessTicket() before allowing comment creation - assign_ticket.php: use canUserAccessTicket() to prevent info leakage via 403 vs 404 - check_duplicates.php: apply getVisibilityFilter() so confidential ticket titles are not exposed in duplicate search results - ticket_dependencies.php: verify ticket access on GET before returning dependency data Route registration: - Register 7 previously missing API endpoints in index.php: custom_fields, saved_filters, audit_log, user_preferences, download_attachment, clone_ticket, health Frontend: - ticket.js: fill empty catch block and empty else block in addComment() with proper error toasts Documentation: - README.md: document all API endpoints and update project structure listing Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 21:39:02 -04:00
parent ce95e555d5
commit 164c2d231a
7 changed files with 90 additions and 6 deletions
--- a/README.md
+++ b/README.md
@@ -204,6 +204,7 @@ Access all admin pages via the **Admin dropdown** in the dashboard header.
 | `/api/update_ticket.php` | POST | Update ticket with workflow validation |
 | `/api/assign_ticket.php` | POST | Assign ticket to user |
 | `/api/add_comment.php` | POST | Add comment to ticket |
+| `/api/clone_ticket.php` | POST | Clone an existing ticket |
 | `/api/get_template.php` | GET | Fetch ticket template |
 | `/api/get_users.php` | GET | Get user list for assignments |
 | `/api/bulk_operation.php` | POST | Perform bulk operations |
@@ -220,6 +221,12 @@ Access all admin pages via the **Admin dropdown** in the dashboard header.
 | `/api/manage_recurring.php` | CRUD | Recurring tickets (admin) |
 | `/api/manage_templates.php` | CRUD | Templates (admin) |
 | `/api/manage_workflows.php` | CRUD | Workflow rules (admin) |
+| `/api/custom_fields.php` | CRUD | Custom field definitions/values (admin) |
+| `/api/saved_filters.php` | CRUD | Saved filter combinations |
+| `/api/user_preferences.php` | GET/POST | User preferences |
+| `/api/audit_log.php` | GET | Audit log entries (admin) |
+| `/api/bootstrap.php` | GET | Bootstrap config/user data for front-end |
+| `/api/health.php` | GET | Health check |

 ## Project Structure

@@ -228,8 +235,12 @@ tinker_tickets/
 ├── api/
 │   ├── add_comment.php                   # POST: Add comment
 │   ├── assign_ticket.php                 # POST: Assign ticket to user
+│   ├── audit_log.php                     # GET: Audit log entries (admin)
+│   ├── bootstrap.php                     # GET: Bootstrap data (config/user for front-end)
 │   ├── bulk_operation.php                # POST: Bulk operations (admin only)
 │   ├── check_duplicates.php              # GET: Check for duplicate tickets
+│   ├── clone_ticket.php                  # POST: Clone an existing ticket
+│   ├── custom_fields.php                 # CRUD: Custom field definitions/values (admin)
 │   ├── delete_attachment.php             # POST/DELETE: Delete attachment
 │   ├── delete_comment.php                # POST: Delete comment (owner/admin)
 │   ├── download_attachment.php           # GET: Download with visibility check
@@ -237,23 +248,26 @@ tinker_tickets/
 │   ├── generate_api_key.php              # POST: Generate API key (admin)
 │   ├── get_template.php                  # GET: Fetch ticket template
 │   ├── get_users.php                     # GET: Get user list
+│   ├── health.php                        # GET: Health check endpoint
 │   ├── manage_recurring.php              # CRUD: Recurring tickets (admin)
 │   ├── manage_templates.php              # CRUD: Templates (admin)
 │   ├── manage_workflows.php              # CRUD: Workflow rules (admin)
 │   ├── revoke_api_key.php                # POST: Revoke API key (admin)
+│   ├── saved_filters.php                 # CRUD: Saved filter combinations
 │   ├── ticket_dependencies.php           # GET/POST/DELETE: Ticket dependencies
 │   ├── update_comment.php                # POST: Update comment (owner/admin)
 │   ├── update_ticket.php                 # POST: Update ticket (workflow validation)
-│   └── upload_attachment.php             # GET/POST: List or upload attachments
+│   ├── upload_attachment.php             # GET/POST: List or upload attachments
+│   └── user_preferences.php             # GET/POST: User preferences
 ├── assets/
 │   ├── css/
-│   │   ├── base.css                      # LotusGuild Terminal Design System (symlinked from web_template)
+│   │   ├── base.css                      # LotusGuild Terminal Design System (copied from web_template)
 │   │   ├── dashboard.css                 # Dashboard + terminal styling
 │   │   └── ticket.css                    # Ticket view styling
 │   ├── js/
 │   │   ├── advanced-search.js            # Advanced search modal
 │   │   ├── ascii-banner.js               # ASCII art banner (rendered in boot overlay on first visit)
-│   │   ├── base.js                       # LotusGuild JS utilities — window.lt (symlinked from web_template)
+│   │   ├── base.js                       # LotusGuild JS utilities — window.lt (copied from web_template)
 │   │   ├── dashboard.js                  # Dashboard + bulk actions + kanban + sidebar
 │   │   ├── keyboard-shortcuts.js         # Keyboard shortcuts (uses lt.keys)
 │   │   ├── markdown.js                   # Markdown rendering + ticket linking (XSS-safe)
@@ -292,6 +306,8 @@ tinker_tickets/
 │   ├── UserPreferencesModel.php          # User preferences
 │   └── WorkflowModel.php                 # Status transition workflows
 ├── scripts/
+│   ├── add_closed_at_column.php          # Migration: add closed_at column to tickets
+│   ├── add_comment_updated_at.php        # Migration: add updated_at column to ticket_comments
 │   ├── cleanup_orphan_uploads.php        # Clean orphaned uploads
 │   └── create_dependencies_table.php     # Create ticket_dependencies table
 ├── uploads/                              # File attachment storage