From a403e49537eda122234a0ce44e0cdabafd8b7850 Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Fri, 20 Mar 2026 21:47:03 -0400
Subject: [PATCH] Use canUserAccessTicket() in clone_ticket.php; fix README
 bootstrap entry

- clone_ticket.php: replace custom visibility check with centralized canUserAccessTicket(); return 404 (not 403) for inaccessible tickets
- README.md: remove bootstrap.php from the API endpoints table (it's a shared include, not a public endpoint); correct its project structure description

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 README.md            |  3 +--
 api/clone_ticket.php | 12 +++++-------
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index b72c9d5..0b2997a 100644
--- a/README.md
+++ b/README.md
@@ -225,7 +225,6 @@ Access all admin pages via the **Admin dropdown** in the dashboard header.
 | `/api/saved_filters.php` | CRUD | Saved filter combinations |
 | `/api/user_preferences.php` | GET/POST | User preferences |
 | `/api/audit_log.php` | GET | Audit log entries (admin) |
-| `/api/bootstrap.php` | GET | Bootstrap config/user data for front-end |
 | `/api/health.php` | GET | Health check |
 
 ## Project Structure
@@ -236,7 +235,7 @@ tinker_tickets/
 │   ├── add_comment.php                   # POST: Add comment
 │   ├── assign_ticket.php                 # POST: Assign ticket to user
 │   ├── audit_log.php                     # GET: Audit log entries (admin)
-│   ├── bootstrap.php                     # GET: Bootstrap data (config/user for front-end)
+│   ├── bootstrap.php                     # Shared auth/setup include (not a public endpoint)
 │   ├── bulk_operation.php                # POST: Bulk operations (admin only)
 │   ├── check_duplicates.php              # GET: Check for duplicate tickets
 │   ├── clone_ticket.php                  # POST: Clone an existing ticket
diff --git a/api/clone_ticket.php b/api/clone_ticket.php
index f6e062a..8d49c66 100644
--- a/api/clone_ticket.php
+++ b/api/clone_ticket.php
@@ -74,13 +74,11 @@ try {
         exit;
     }
 
-    // Authorization: non-admins cannot clone internal tickets unless they created/are assigned
-    if (!$isAdmin && ($sourceTicket['visibility'] ?? 'public') === 'internal') {
-        if ($sourceTicket['created_by'] != $userId && $sourceTicket['assigned_to'] != $userId) {
-            http_response_code(403);
-            echo json_encode(['success' => false, 'error' => 'Permission denied']);
-            exit;
-        }
+    // Verify the user can access this ticket using centralized visibility logic
+    if (!$ticketModel->canUserAccessTicket($sourceTicket, $_SESSION['user'])) {
+        http_response_code(404);
+        echo json_encode(['success' => false, 'error' => 'Source ticket not found']);
+        exit;
     }
 
     // Prepare cloned ticket data