From 47b70b0ee8ace6b421da9395af17f29a66110f0f Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Sat, 11 Apr 2026 13:31:10 -0400
Subject: [PATCH] Fix ticket ID handling in assign and delete_attachment APIs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

assign_ticket.php: preserve string ticket ID (ctype_digit validation)
  instead of (int) cast for consistent audit logging and URL generation.

delete_attachment.php: use string ticket_id from DB for the upload
  directory path — (int) cast was stripping leading zeros, causing
  the wrong path (/uploads/123456/) instead of /uploads/000123456/.
  Also pass raw string to getTicketById() to let TicketModel handle
  type coercion.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 api/assign_ticket.php     | 5 +++--
 api/delete_attachment.php | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/api/assign_ticket.php b/api/assign_ticket.php
index 0b21348..7c34d04 100644
--- a/api/assign_ticket.php
+++ b/api/assign_ticket.php
@@ -14,14 +14,15 @@ if (!is_array($data)) {
     exit;
 }
 
-$ticketId = isset($data['ticket_id']) ? (int)$data['ticket_id'] : 0;
+$ticketIdRaw = isset($data['ticket_id']) ? trim((string)$data['ticket_id']) : '';
 $assignedTo = $data['assigned_to'] ?? null;
 
-if ($ticketId <= 0) {
+if (!ctype_digit($ticketIdRaw) || (int)$ticketIdRaw <= 0) {
     http_response_code(400);
     echo json_encode(['success' => false, 'error' => 'Ticket ID required']);
     exit;
 }
+$ticketId = $ticketIdRaw;
 
 $ticketModel = new TicketModel($conn);
 $auditLogModel = new AuditLogModel($conn);
diff --git a/api/delete_attachment.php b/api/delete_attachment.php
index 4345d71..9a111da 100644
--- a/api/delete_attachment.php
+++ b/api/delete_attachment.php
@@ -67,7 +67,7 @@ try {
 
     // Verify user can access the parent ticket
     $ticketModel = new TicketModel(Database::getConnection());
-    $ticket = $ticketModel->getTicketById((int)$attachment['ticket_id']);
+    $ticket = $ticketModel->getTicketById($attachment['ticket_id']);
     if (!$ticket || !$ticketModel->canUserAccessTicket($ticket, $_SESSION['user'])) {
         ResponseHelper::notFound('Attachment not found');
     }
@@ -80,7 +80,7 @@ try {
 
     // Delete the file — use realpath() to prevent path traversal
     $uploadDir = realpath($GLOBALS['config']['UPLOAD_DIR'] ?? dirname(__DIR__) . '/uploads');
-    $filePath  = $uploadDir . '/' . (int)$attachment['ticket_id'] . '/' . $attachment['filename'];
+    $filePath  = $uploadDir . '/' . $attachment['ticket_id'] . '/' . $attachment['filename'];
     $realPath  = realpath($filePath);
 
     if ($realPath !== false) {