Fix visibility bypass in export and insecure cookie in preferences

api/export_tickets.php: getAllTickets() was called without $currentUser, so visibility filtering was skipped — any authenticated user could export all tickets including confidential/internal ones. api/user_preferences.php: the single-preference setcookie() call was missing httponly/secure flags (batch path had them correctly). Also cast preference values to string before passing to setPreference(string). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 14:29:09 -04:00
parent 0f71ef9935
commit 55c2d5c596
2 changed files with 5 additions and 5 deletions
@@ -72,8 +72,8 @@ try {
        }
    } else {
        // Get all tickets with filters (no pagination for export)
-        // getAllTickets already applies visibility filtering via getVisibilityFilter
-        $result = $ticketModel->getAllTickets(1, 10000, $status, 'created_at', 'desc', $category, $type, $search);
+        // Pass $currentUser so visibility filtering is applied correctly
+        $result = $ticketModel->getAllTickets(1, 10000, $status, 'created_at', 'desc', $category, $type, $search, [], $currentUser);
        $tickets = $result['tickets'];
    }

@@ -43,7 +43,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
            foreach ($data['preferences'] as $key => $value) {
                $key = trim($key);
                if (!in_array($key, $validKeys)) continue;
-                $prefsModel->setPreference($userId, $key, $value);
+                $prefsModel->setPreference($userId, $key, (string)$value);
                if ($key === 'rows_per_page') {
                    setcookie('ticketsPerPage', $value, ['expires' => time() + (86400 * 365), 'path' => '/', 'httponly' => true, 'secure' => true, 'samesite' => 'Lax']);
                }
@@ -73,11 +73,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    }

    try {
-        $success = $prefsModel->setPreference($userId, $key, $value);
+        $success = $prefsModel->setPreference($userId, $key, (string)$value);

        // Also update cookie for rows_per_page for backwards compatibility
        if ($key === 'rows_per_page') {
-            setcookie('ticketsPerPage', $value, time() + (86400 * 365), '/');
+            setcookie('ticketsPerPage', (string)$value, ['expires' => time() + (86400 * 365), 'path' => '/', 'httponly' => true, 'secure' => true, 'samesite' => 'Lax']);
        }

        apiRespond(['success' => $success]);