Integrate web_template design system and fix security/quality issues
Security fixes: - Add HTTP method validation to delete_comment.php (block CSRF via GET) - Remove $_GET fallback in comment deletion (was CSRF bypass vector) - Guard session_start() with session_status() check across API files - Escape json_encode() data attributes with htmlspecialchars in views - Escape inline APP_TIMEZONE config values in DashboardView/TicketView - Validate timezone param against DateTimeZone::listIdentifiers() in index.php - Remove Database::escape() (was using real_escape_string, not safe) - Fix AttachmentModel hardcoded connection; inject via constructor Backend fixes: - Fix CommentModel bind_param type for ticket_id (s→i) - Fix buildCommentThread orphan parent guard - Fix StatsModel JOIN→LEFT JOIN so unassigned tickets aren't excluded - Add ticket ID validation in BulkOperationsModel before implode() - Add duplicate key retry in TicketModel::createTicket() for race conditions - Wrap SavedFiltersModel default filter changes in transactions - Add null result guards in WorkflowModel query methods Frontend JS: - Rewrite toast.js as lt.toast shim (base.js dependency) - Delegate escapeHtml() to lt.escHtml() - Rewrite keyboard-shortcuts.js using lt.keys.on() - Migrate settings.js to lt.api.* and lt.modal.open/close() - Migrate advanced-search.js to lt.api.* and lt.modal.open/close() - Migrate dashboard.js fetch calls to lt.api.*; update all dynamic modals (bulk ops, quick actions, confirm/input) to lt-modal structure - Migrate ticket.js fetchMentionUsers to lt.api.get() - Remove console.log/error/warn calls from JS files Views: - Add /web_template/base.css and base.js to all 10 view files - Call lt.keys.initDefaults() in DashboardView, TicketView, admin views - Migrate all modal HTML from settings-modal/settings-content to lt-modal-overlay/lt-modal/lt-modal-header/lt-modal-body/lt-modal-footer - Replace style="display:none" with aria-hidden="true" on all modals - Replace modal open/close style.display with lt.modal.open/close() - Update modal buttons to lt-btn lt-btn-primary/lt-btn-ghost classes - Remove manual ESC keydown handlers (replaced by lt.keys.initDefaults) - Fix unescaped timezone values in TicketView inline script Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -24,7 +24,6 @@ function saveTicket() {
|
||||
const ticketId = getTicketIdFromUrl();
|
||||
|
||||
if (!ticketId) {
|
||||
console.error('Could not determine ticket ID');
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -66,7 +65,6 @@ function saveTicket() {
|
||||
.then(response => {
|
||||
if (!response.ok) {
|
||||
return response.text().then(text => {
|
||||
console.error('Server response:', text);
|
||||
throw new Error('Network response was not ok');
|
||||
});
|
||||
}
|
||||
@@ -81,11 +79,9 @@ function saveTicket() {
|
||||
}
|
||||
toast.success('Ticket updated successfully');
|
||||
} else {
|
||||
console.error('Error in API response:', data.error || 'Unknown error');
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error updating ticket:', error);
|
||||
});
|
||||
}
|
||||
|
||||
@@ -140,14 +136,12 @@ function toggleEditMode() {
|
||||
function addComment() {
|
||||
const commentText = document.getElementById('newComment').value;
|
||||
if (!commentText.trim()) {
|
||||
console.error('Comment text cannot be empty');
|
||||
return;
|
||||
}
|
||||
|
||||
const ticketId = getTicketIdFromUrl();
|
||||
|
||||
if (!ticketId) {
|
||||
console.error('Could not determine ticket ID');
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -169,7 +163,6 @@ function addComment() {
|
||||
.then(response => {
|
||||
if (!response.ok) {
|
||||
return response.text().then(text => {
|
||||
console.error('Server response:', text);
|
||||
throw new Error('Network response was not ok');
|
||||
});
|
||||
}
|
||||
@@ -224,11 +217,9 @@ function addComment() {
|
||||
|
||||
commentsList.insertBefore(commentDiv, commentsList.firstChild);
|
||||
} else {
|
||||
console.error('Error adding comment:', data.error || 'Unknown error');
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error adding comment:', error);
|
||||
});
|
||||
}
|
||||
|
||||
@@ -327,11 +318,9 @@ function handleAssignmentChange() {
|
||||
.then(data => {
|
||||
if (!data.success) {
|
||||
toast.error('Error updating assignment');
|
||||
console.error(data.error);
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error updating assignment:', error);
|
||||
toast.error('Error updating assignment: ' + error.message);
|
||||
});
|
||||
});
|
||||
@@ -365,7 +354,6 @@ function handleMetadataChanges() {
|
||||
.then(data => {
|
||||
if (!data.success) {
|
||||
toast.error(`Error updating ${fieldName}`);
|
||||
console.error(data.error);
|
||||
} else {
|
||||
// Update window.ticketData
|
||||
window.ticketData[fieldName] = fieldName === 'priority' ? parseInt(newValue) : newValue;
|
||||
@@ -387,7 +375,6 @@ function handleMetadataChanges() {
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error(`Error updating ${fieldName}:`, error);
|
||||
toast.error(`Error updating ${fieldName}: ` + error.message);
|
||||
});
|
||||
}
|
||||
@@ -472,7 +459,6 @@ function performStatusChange(statusSelect, selectedOption, newStatus) {
|
||||
const text = await response.text();
|
||||
|
||||
if (!response.ok) {
|
||||
console.error('Server error response:', text);
|
||||
try {
|
||||
const data = JSON.parse(text);
|
||||
throw new Error(data.error || 'Server returned an error');
|
||||
@@ -484,7 +470,6 @@ function performStatusChange(statusSelect, selectedOption, newStatus) {
|
||||
try {
|
||||
return JSON.parse(text);
|
||||
} catch (parseError) {
|
||||
console.error('Failed to parse JSON:', text);
|
||||
throw new Error('Invalid JSON response from server');
|
||||
}
|
||||
})
|
||||
@@ -507,14 +492,12 @@ function performStatusChange(statusSelect, selectedOption, newStatus) {
|
||||
window.location.reload();
|
||||
}, 500);
|
||||
} else {
|
||||
console.error('Error updating status:', data.error || 'Unknown error');
|
||||
toast.error('Error updating status: ' + (data.error || 'Unknown error'));
|
||||
// Reset to current status
|
||||
statusSelect.selectedIndex = 0;
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error updating status:', error);
|
||||
toast.error('Error updating status: ' + error.message);
|
||||
// Reset to current status
|
||||
statusSelect.selectedIndex = 0;
|
||||
@@ -530,7 +513,6 @@ function showTab(tabName) {
|
||||
const activityTab = document.getElementById('activity-tab');
|
||||
|
||||
if (!descriptionTab || !commentsTab) {
|
||||
console.error('Tab elements not found');
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -592,12 +574,10 @@ function loadDependencies() {
|
||||
renderDependencies(data.dependencies);
|
||||
renderDependents(data.dependents);
|
||||
} else {
|
||||
console.error('Error loading dependencies:', data.error);
|
||||
showDependencyError(data.error || 'Failed to load dependencies');
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error loading dependencies:', error);
|
||||
showDependencyError('Failed to load dependencies. The feature may not be available.');
|
||||
});
|
||||
}
|
||||
@@ -720,7 +700,6 @@ function addDependency() {
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error adding dependency:', error);
|
||||
toast.error('Error adding dependency', 4000);
|
||||
});
|
||||
}
|
||||
@@ -751,7 +730,6 @@ function removeDependency(dependencyId) {
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error removing dependency:', error);
|
||||
toast.error('Error removing dependency', 4000);
|
||||
});
|
||||
}
|
||||
@@ -910,7 +888,6 @@ function loadAttachments() {
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error loading attachments:', error);
|
||||
container.innerHTML = '<p style="color: var(--terminal-green-dim);">Error loading attachments.</p>';
|
||||
});
|
||||
}
|
||||
@@ -998,7 +975,6 @@ function deleteAttachment(attachmentId) {
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error deleting attachment:', error);
|
||||
toast.error('Error deleting attachment', 4000);
|
||||
});
|
||||
}
|
||||
@@ -1042,18 +1018,13 @@ function initMentionAutocomplete() {
|
||||
* Fetch available users for mentions
|
||||
*/
|
||||
function fetchMentionUsers() {
|
||||
fetch('/api/get_users.php', {
|
||||
credentials: 'same-origin'
|
||||
})
|
||||
.then(response => response.json())
|
||||
lt.api.get('/api/get_users.php')
|
||||
.then(data => {
|
||||
if (data.success && data.users) {
|
||||
mentionUsers = data.users;
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error fetching users for mentions:', error);
|
||||
});
|
||||
.catch(() => { /* silently ignore mention user fetch failures */ });
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1380,7 +1351,6 @@ function saveEditComment(commentId) {
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error updating comment:', error);
|
||||
showToast('Failed to update comment', 'error');
|
||||
});
|
||||
}
|
||||
@@ -1434,7 +1404,6 @@ function deleteComment(commentId) {
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error deleting comment:', error);
|
||||
showToast('Failed to delete comment', 'error');
|
||||
});
|
||||
}
|
||||
@@ -1596,7 +1565,6 @@ function submitReply(parentCommentId) {
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error adding reply:', error);
|
||||
showToast('Failed to add reply', 'error');
|
||||
});
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user