diff --git a/README.md b/README.md index b72c9d5..0b2997a 100644 --- a/README.md +++ b/README.md @@ -225,7 +225,6 @@ Access all admin pages via the **Admin dropdown** in the dashboard header. | `/api/saved_filters.php` | CRUD | Saved filter combinations | | `/api/user_preferences.php` | GET/POST | User preferences | | `/api/audit_log.php` | GET | Audit log entries (admin) | -| `/api/bootstrap.php` | GET | Bootstrap config/user data for front-end | | `/api/health.php` | GET | Health check | ## Project Structure @@ -236,7 +235,7 @@ tinker_tickets/ │ ├── add_comment.php # POST: Add comment │ ├── assign_ticket.php # POST: Assign ticket to user │ ├── audit_log.php # GET: Audit log entries (admin) -│ ├── bootstrap.php # GET: Bootstrap data (config/user for front-end) +│ ├── bootstrap.php # Shared auth/setup include (not a public endpoint) │ ├── bulk_operation.php # POST: Bulk operations (admin only) │ ├── check_duplicates.php # GET: Check for duplicate tickets │ ├── clone_ticket.php # POST: Clone an existing ticket diff --git a/api/clone_ticket.php b/api/clone_ticket.php index f6e062a..8d49c66 100644 --- a/api/clone_ticket.php +++ b/api/clone_ticket.php @@ -74,13 +74,11 @@ try { exit; } - // Authorization: non-admins cannot clone internal tickets unless they created/are assigned - if (!$isAdmin && ($sourceTicket['visibility'] ?? 'public') === 'internal') { - if ($sourceTicket['created_by'] != $userId && $sourceTicket['assigned_to'] != $userId) { - http_response_code(403); - echo json_encode(['success' => false, 'error' => 'Permission denied']); - exit; - } + // Verify the user can access this ticket using centralized visibility logic + if (!$ticketModel->canUserAccessTicket($sourceTicket, $_SESSION['user'])) { + http_response_code(404); + echo json_encode(['success' => false, 'error' => 'Source ticket not found']); + exit; } // Prepare cloned ticket data