Fix loose comparisons, missing response codes, and session handling

- ticket.js: escape dependency_id with lt.escHtml() in data attribute
- assign_ticket.php: strict (int) cast for ticket_id (> 0 check), authorization
  comparisons, and add missing http_response_code(400) on invalid user ID
- TicketView.php: strict (int) cast for priority select, assigned_to select,
  and comment ownership check
- CommentModel.php: strict (int) cast for parent_comment_id thread comparison
- UserModel.php: strict (int) cast for is_admin check
- export_tickets.php: conditional session_start() to avoid double-start warning

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/assign_ticket.php

@@ -12,10 +12,10 @@ if (!is_array($data)) {
     exit;
 }
 
-$ticketId = isset($data['ticket_id']) ? (int)$data['ticket_id'] : null;
+$ticketId = isset($data['ticket_id']) ? (int)$data['ticket_id'] : 0;
 $assignedTo = $data['assigned_to'] ?? null;
 
-if (!$ticketId) {
+if ($ticketId <= 0) {
     http_response_code(400);
     echo json_encode(['success' => false, 'error' => 'Ticket ID required']);
     exit;
@@ -34,7 +34,7 @@ if (!$ticket || !$ticketModel->canUserAccessTicket($ticket, $currentUser)) {
 }
 
 // Authorization: only admins or the ticket creator/assignee can reassign
-if (!$isAdmin && $ticket['created_by'] !== $userId && $ticket['assigned_to'] !== $userId) {
+if (!$isAdmin && (int)$ticket['created_by'] !== (int)$userId && (int)$ticket['assigned_to'] !== (int)$userId) {
     http_response_code(403);
     echo json_encode(['success' => false, 'error' => 'Permission denied']);
     exit;
@@ -51,6 +51,7 @@ if ($assignedTo === null || $assignedTo === '') {
     $assignedTo = (int)$assignedTo;
     $targetUser = $userModel->getUserById($assignedTo);
     if (!$targetUser) {
+        http_response_code(400);
         echo json_encode(['success' => false, 'error' => 'Invalid user ID']);
         exit;
     }