Fix visibility enforcement and register missing API routes

Security fixes: - add_comment.php: verify canUserAccessTicket() before allowing comment creation - assign_ticket.php: use canUserAccessTicket() to prevent info leakage via 403 vs 404 - check_duplicates.php: apply getVisibilityFilter() so confidential ticket titles are not exposed in duplicate search results - ticket_dependencies.php: verify ticket access on GET before returning dependency data Route registration: - Register 7 previously missing API endpoints in index.php: custom_fields, saved_filters, audit_log, user_preferences, download_attachment, clone_ticket, health Frontend: - ticket.js: fill empty catch block and empty else block in addComment() with proper error toasts Documentation: - README.md: document all API endpoints and update project structure listing Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 21:39:02 -04:00
parent ce95e555d5
commit 164c2d231a
7 changed files with 90 additions and 6 deletions
--- a/api/add_comment.php
+++ b/api/add_comment.php
@@ -28,6 +28,7 @@ try {
    require_once $commentModelPath;
    require_once $auditLogModelPath;
    require_once dirname(__DIR__) . '/helpers/Database.php';
+    require_once dirname(__DIR__) . '/models/TicketModel.php';

    // Check authentication via session
    if (session_status() === PHP_SESSION_NONE) {
@@ -71,6 +72,24 @@ try {
        exit;
    }

+    // Verify user can access the ticket before allowing a comment
+    $ticketModel = new TicketModel($conn);
+    $ticket = $ticketModel->getTicketById($ticketId);
+    if (!$ticket) {
+        http_response_code(404);
+        ob_end_clean();
+        header('Content-Type: application/json');
+        echo json_encode(['success' => false, 'error' => 'Ticket not found']);
+        exit;
+    }
+    if (!$ticketModel->canUserAccessTicket($ticket, $currentUser)) {
+        http_response_code(403);
+        ob_end_clean();
+        header('Content-Type: application/json');
+        echo json_encode(['success' => false, 'error' => 'Access denied']);
+        exit;
+    }
+
    // Initialize models
    $commentModel = new CommentModel($conn);
    $auditLog = new AuditLogModel($conn);
--- a/api/assign_ticket.php
+++ b/api/assign_ticket.php
@@ -25,9 +25,9 @@ $ticketModel = new TicketModel($conn);
 $auditLogModel = new AuditLogModel($conn);
 $userModel = new UserModel($conn);

-// Verify ticket exists
+// Verify ticket exists and user can access it
 $ticket = $ticketModel->getTicketById($ticketId);
-if (!$ticket) {
+if (!$ticket || !$ticketModel->canUserAccessTicket($ticket, $currentUser)) {
    http_response_code(404);
    echo json_encode(['success' => false, 'error' => 'Ticket not found']);
    exit;
--- a/api/check_duplicates.php
+++ b/api/check_duplicates.php
@@ -7,6 +7,7 @@

 require_once __DIR__ . '/bootstrap.php';
 require_once dirname(__DIR__) . '/helpers/ResponseHelper.php';
+require_once dirname(__DIR__) . '/models/TicketModel.php';

 // Only accept GET requests
 if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
@@ -30,6 +31,10 @@ $searchTerm = '%' . $title . '%';
 // Get SOUNDEX of title
 $soundexTitle = soundex($title);

+// Build visibility filter so users only see titles they have access to
+$ticketModel = new TicketModel($conn);
+$visFilter = $ticketModel->getVisibilityFilter($currentUser);
+
 // First, search for exact substring matches (case-insensitive)
 $sql = "SELECT ticket_id, title, status, priority, created_at
        FROM tickets
@@ -38,11 +43,16 @@ $sql = "SELECT ticket_id, title, status, priority, created_at
            OR SOUNDEX(title) = ?
        )
        AND status != 'Closed'
+        AND ({$visFilter['sql']})
        ORDER BY created_at DESC
        LIMIT 10";

+$types = "ss" . $visFilter['types'];
+$params = array_merge([$searchTerm, $soundexTitle], $visFilter['params']);
 $stmt = $conn->prepare($sql);
-$stmt->bind_param("ss", $searchTerm, $soundexTitle);
+if (!empty($params)) {
+    $stmt->bind_param($types, ...$params);
+}
 $stmt->execute();
 $result = $stmt->get_result();

--- a/api/ticket_dependencies.php
+++ b/api/ticket_dependencies.php
@@ -67,6 +67,7 @@ require_once dirname(__DIR__) . '/config/config.php';
 require_once dirname(__DIR__) . '/helpers/Database.php';
 require_once dirname(__DIR__) . '/models/DependencyModel.php';
 require_once dirname(__DIR__) . '/models/AuditLogModel.php';
+require_once dirname(__DIR__) . '/models/TicketModel.php';
 require_once dirname(__DIR__) . '/helpers/ResponseHelper.php';

 header('Content-Type: application/json');
@@ -77,6 +78,7 @@ if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
 }

 $userId = $_SESSION['user']['user_id'];
+$currentUser = $_SESSION['user'];

 // CSRF Protection for POST/DELETE
 if ($_SERVER['REQUEST_METHOD'] === 'POST' || $_SERVER['REQUEST_METHOD'] === 'DELETE') {
@@ -99,6 +101,7 @@ if ($tableCheck->num_rows === 0) {
 try {
    $dependencyModel = new DependencyModel($conn);
    $auditLog = new AuditLogModel($conn);
+    $ticketModel = new TicketModel($conn);
 } catch (Exception $e) {
    error_log('Failed to initialize models in ticket_dependencies.php: ' . $e->getMessage());
    ResponseHelper::serverError('Failed to initialize required components');
@@ -116,6 +119,12 @@ switch ($method) {
            ResponseHelper::error('Ticket ID required');
        }

+        // Verify user can access this ticket
+        $ticket = $ticketModel->getTicketById((int)$ticketId);
+        if (!$ticket || !$ticketModel->canUserAccessTicket($ticket, $currentUser)) {
+            ResponseHelper::notFound('Ticket not found');
+        }
+
        try {
            $dependencies = $dependencyModel->getDependencies($ticketId);
            $dependents = $dependencyModel->getDependentTickets($ticketId);