Fix comment avatar, activity log labels, and ticket update permissions

- add_comment.php: include user_id in response for avatar rendering - ticket.js: add buildCommentElement() helper that matches server-rendered comment structure (avatar, edit/delete buttons, textarea); use it in addComment() and submitReply() so new comments show the avatar immediately - AuditLogModel: logCommentCreate uses action_type='comment' not 'create' - TicketView: formatAction handles entity_type='comment' with action_type='create' for existing DB records; prevents "created this ticket" showing for comments - update_ticket.php: remove owner/assignee restriction so any authenticated team member can update ticket status and fields Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-06 22:37:53 -04:00
parent 727c5171ff
commit 55a3d2945c
5 changed files with 106 additions and 66 deletions
@@ -93,16 +93,8 @@ try {
                ];
            }

-            // Authorization: admins can edit any ticket; others only their own or assigned
-            if (!$this->isAdmin
-                && (int)$currentTicket['created_by'] !== (int)$this->userId
-                && (int)$currentTicket['assigned_to'] !== (int)$this->userId
-            ) {
-                return [
-                    'success' => false,
-                    'error' => 'Permission denied'
-                ];
-            }
+            // Any authenticated team member can update tickets.
+            // Admin-only operations (delete, bulk actions) are enforced separately.

            // Merge current data with updates, keeping existing values for missing fields
            $updateData = [