Integrate web_template design system and fix security/quality issues
Security fixes: - Add HTTP method validation to delete_comment.php (block CSRF via GET) - Remove $_GET fallback in comment deletion (was CSRF bypass vector) - Guard session_start() with session_status() check across API files - Escape json_encode() data attributes with htmlspecialchars in views - Escape inline APP_TIMEZONE config values in DashboardView/TicketView - Validate timezone param against DateTimeZone::listIdentifiers() in index.php - Remove Database::escape() (was using real_escape_string, not safe) - Fix AttachmentModel hardcoded connection; inject via constructor Backend fixes: - Fix CommentModel bind_param type for ticket_id (s→i) - Fix buildCommentThread orphan parent guard - Fix StatsModel JOIN→LEFT JOIN so unassigned tickets aren't excluded - Add ticket ID validation in BulkOperationsModel before implode() - Add duplicate key retry in TicketModel::createTicket() for race conditions - Wrap SavedFiltersModel default filter changes in transactions - Add null result guards in WorkflowModel query methods Frontend JS: - Rewrite toast.js as lt.toast shim (base.js dependency) - Delegate escapeHtml() to lt.escHtml() - Rewrite keyboard-shortcuts.js using lt.keys.on() - Migrate settings.js to lt.api.* and lt.modal.open/close() - Migrate advanced-search.js to lt.api.* and lt.modal.open/close() - Migrate dashboard.js fetch calls to lt.api.*; update all dynamic modals (bulk ops, quick actions, confirm/input) to lt-modal structure - Migrate ticket.js fetchMentionUsers to lt.api.get() - Remove console.log/error/warn calls from JS files Views: - Add /web_template/base.css and base.js to all 10 view files - Call lt.keys.initDefaults() in DashboardView, TicketView, admin views - Migrate all modal HTML from settings-modal/settings-content to lt-modal-overlay/lt-modal/lt-modal-header/lt-modal-body/lt-modal-footer - Replace style="display:none" with aria-hidden="true" on all modals - Replace modal open/close style.display with lt.modal.open/close() - Update modal buttons to lt-btn lt-btn-primary/lt-btn-ghost classes - Remove manual ESC keydown handlers (replaced by lt.keys.initDefaults) - Fix unescaped timezone values in TicketView inline script Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -8,16 +8,13 @@ let userPreferences = {};
|
||||
// Load preferences on page load
|
||||
async function loadUserPreferences() {
|
||||
try {
|
||||
const response = await fetch('/api/user_preferences.php', {
|
||||
credentials: 'same-origin'
|
||||
});
|
||||
const data = await response.json();
|
||||
const data = await lt.api.get('/api/user_preferences.php');
|
||||
if (data.success) {
|
||||
userPreferences = data.preferences;
|
||||
applyPreferences();
|
||||
}
|
||||
} catch (error) {
|
||||
console.error('Error loading preferences:', error);
|
||||
lt.toast.error('Error loading preferences');
|
||||
}
|
||||
}
|
||||
|
||||
@@ -94,34 +91,12 @@ async function saveSettings() {
|
||||
};
|
||||
|
||||
try {
|
||||
// Batch save all preferences in one request
|
||||
const response = await fetch('/api/user_preferences.php', {
|
||||
method: 'POST',
|
||||
credentials: 'same-origin',
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
'X-CSRF-Token': window.CSRF_TOKEN
|
||||
},
|
||||
body: JSON.stringify({ preferences: prefs })
|
||||
});
|
||||
|
||||
const result = await response.json();
|
||||
if (!result.success) {
|
||||
throw new Error('Failed to save preferences');
|
||||
}
|
||||
|
||||
if (typeof toast !== 'undefined') {
|
||||
toast.success('Preferences saved successfully!');
|
||||
}
|
||||
await lt.api.post('/api/user_preferences.php', { preferences: prefs });
|
||||
lt.toast.success('Preferences saved successfully!');
|
||||
closeSettingsModal();
|
||||
|
||||
// Reload page to apply new preferences
|
||||
setTimeout(() => window.location.reload(), 1000);
|
||||
} catch (error) {
|
||||
if (typeof toast !== 'undefined') {
|
||||
toast.error('Error saving preferences');
|
||||
}
|
||||
console.error('Error saving preferences:', error);
|
||||
lt.toast.error('Error saving preferences');
|
||||
}
|
||||
}
|
||||
|
||||
@@ -129,24 +104,18 @@ async function saveSettings() {
|
||||
function openSettingsModal() {
|
||||
const modal = document.getElementById('settingsModal');
|
||||
if (modal) {
|
||||
modal.style.display = 'flex';
|
||||
document.body.classList.add('modal-open');
|
||||
lt.modal.open('settingsModal');
|
||||
loadUserPreferences();
|
||||
}
|
||||
}
|
||||
|
||||
function closeSettingsModal() {
|
||||
const modal = document.getElementById('settingsModal');
|
||||
if (modal) {
|
||||
modal.style.display = 'none';
|
||||
document.body.classList.remove('modal-open');
|
||||
}
|
||||
lt.modal.close('settingsModal');
|
||||
}
|
||||
|
||||
// Close modal when clicking on backdrop (outside the settings content)
|
||||
function closeOnBackdropClick(event) {
|
||||
const modal = document.getElementById('settingsModal');
|
||||
// Only close if clicking directly on the modal backdrop, not on content
|
||||
if (event.target === modal) {
|
||||
closeSettingsModal();
|
||||
}
|
||||
@@ -158,14 +127,7 @@ document.addEventListener('keydown', (e) => {
|
||||
e.preventDefault();
|
||||
openSettingsModal();
|
||||
}
|
||||
|
||||
// ESC to close modal
|
||||
if (e.key === 'Escape') {
|
||||
const modal = document.getElementById('settingsModal');
|
||||
if (modal && modal.style.display !== 'none' && modal.style.display !== '') {
|
||||
closeSettingsModal();
|
||||
}
|
||||
}
|
||||
// ESC is handled globally by lt.keys.initDefaults()
|
||||
});
|
||||
|
||||
// Initialize on page load
|
||||
|
||||
Reference in New Issue
Block a user