Add performance, security, and reliability improvements

- Consolidate all 20 API files to use centralized Database helper - Add optimistic locking to ticket updates to prevent concurrent conflicts - Add caching to StatsModel (60s TTL) for dashboard performance - Add health check endpoint (api/health.php) for monitoring - Improve rate limit cleanup with cron script and efficient DirectoryIterator - Enable rate limit response headers (X-RateLimit-*) - Add audit logging for workflow transitions - Log Discord webhook failures instead of silencing - Fix visibility check on export_tickets.php - Add database migration system with performance indexes - Fix cron recurring tickets to use assignTicket method Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 14:39:13 -05:00
parent c3f7593f3c
commit 7575d6a277
31 changed files with 825 additions and 398 deletions
--- a/api/export_tickets.php
+++ b/api/export_tickets.php
@@ -3,6 +3,7 @@
 * Export Tickets API
 *
 * Exports tickets to CSV format with optional filtering
+ * Respects ticket visibility settings
 */

 // Disable error display in the output
@@ -16,6 +17,7 @@ RateLimitMiddleware::apply('api');
 try {
    // Include required files
    require_once dirname(__DIR__) . '/config/config.php';
+    require_once dirname(__DIR__) . '/helpers/Database.php';
    require_once dirname(__DIR__) . '/models/TicketModel.php';

    // Check authentication via session
@@ -29,17 +31,8 @@ try {

    $currentUser = $_SESSION['user'];

-    // Create database connection
-    $conn = new mysqli(
-        $GLOBALS['config']['DB_HOST'],
-        $GLOBALS['config']['DB_USER'],
-        $GLOBALS['config']['DB_PASS'],
-        $GLOBALS['config']['DB_NAME']
-    );
-
-    if ($conn->connect_error) {
-        throw new Exception("Database connection failed");
-    }
+    // Use centralized database connection
+    $conn = Database::getConnection();

    // Get filter parameters
    $status = isset($_GET['status']) ? $_GET['status'] : null;
@@ -64,11 +57,18 @@ try {
        }

        // Get specific tickets by IDs
-        $tickets = $ticketModel->getTicketsByIds($ticketIdArray);
-        // Convert associative array to indexed array
-        $tickets = array_values($tickets);
+        $allTickets = $ticketModel->getTicketsByIds($ticketIdArray);
+
+        // Filter tickets based on visibility - only export tickets the user can access
+        $tickets = [];
+        foreach ($allTickets as $ticket) {
+            if ($ticketModel->canUserAccessTicket($ticket, $currentUser)) {
+                $tickets[] = $ticket;
+            }
+        }
    } else {
        // Get all tickets with filters (no pagination for export)
+        // getAllTickets already applies visibility filtering via getVisibilityFilter
        $result = $ticketModel->getAllTickets(1, 10000, $status, 'created_at', 'desc', $category, $type, $search);
        $tickets = $result['tickets'];
    }