Fix performAdvancedSearch ReferenceError, settings save, sort reset, notifications 500, CSP
DashboardView.php: wrap performAdvancedSearch in a closure so it is
resolved at event-fire time rather than listener-registration time
(advanced-search.js loads later via pageScripts so the bare identifier
reference caused ReferenceError).
DashboardView.php: reset sort URL to page=1 so sorting all pages
instead of staying on the current page.
dashboard.js: add missing save-settings and close-settings cases to
the click delegation handler (were removed in a prior session under
the assumption they were in dashboard.js, but they were not).
notifications.php: replace JSON_EXTRACT-based comment join (not
universally supported) with a two-step PHP filter: fetch owner/watcher
ticket IDs first, then filter raw comment rows in PHP. Also fix the
status change LIKE pattern to match the actual logTicketUpdate format
{"status": {"from": ..., "to": ...}}.
SecurityHeadersMiddleware.php: add https://cdn.jsdelivr.net to
connect-src so Chart.js source maps load without CSP violations.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+38
-9
@@ -65,28 +65,57 @@ $assignRows = $stmt->get_result()->fetch_all(MYSQLI_ASSOC);
|
||||
$stmt->close();
|
||||
|
||||
// Query 2: Comments on tickets I own or watch (events from other users)
|
||||
// Comments are logged as action_type='create', entity_type='comment', with ticket_id in details JSON.
|
||||
$commentSql = "SELECT DISTINCT
|
||||
// Comments are logged as action_type='create', entity_type='comment', ticket_id stored in details JSON.
|
||||
// Avoid JSON_EXTRACT (not universally supported) — fetch recent entries then filter in PHP.
|
||||
|
||||
// Step A: ticket IDs the current user owns or watches
|
||||
$myTicketIds = [];
|
||||
$myTicketsSql = "SELECT DISTINCT ticket_id FROM tickets WHERE assigned_to = ? OR created_by = ?";
|
||||
$stmt = $conn->prepare($myTicketsSql);
|
||||
$stmt->bind_param('ii', $userId, $userId);
|
||||
$stmt->execute();
|
||||
$mtResult = $stmt->get_result();
|
||||
while ($mtRow = $mtResult->fetch_assoc()) { $myTicketIds[(int)$mtRow['ticket_id']] = true; }
|
||||
$stmt->close();
|
||||
|
||||
$watchedSql = "SELECT ticket_id FROM ticket_watchers WHERE user_id = ?";
|
||||
$stmt = $conn->prepare($watchedSql);
|
||||
$stmt->bind_param('i', $userId);
|
||||
$stmt->execute();
|
||||
$wResult = $stmt->get_result();
|
||||
while ($wRow = $wResult->fetch_assoc()) { $myTicketIds[(int)$wRow['ticket_id']] = true; }
|
||||
$stmt->close();
|
||||
|
||||
// Step B: fetch recent comment audit events not by the current user
|
||||
$commentSql = "SELECT
|
||||
al.log_id, al.action_type, al.entity_type, al.entity_id, al.details, al.created_at,
|
||||
COALESCE(u.display_name, u.username, 'System') AS actor_name
|
||||
FROM audit_log al
|
||||
LEFT JOIN users u ON al.user_id = u.user_id
|
||||
INNER JOIN tickets t ON t.ticket_id = CAST(JSON_UNQUOTE(JSON_EXTRACT(al.details, '$.ticket_id')) AS UNSIGNED)
|
||||
LEFT JOIN ticket_watchers tw ON tw.ticket_id = t.ticket_id AND tw.user_id = ?
|
||||
WHERE al.action_type = 'create'
|
||||
AND al.entity_type = 'comment'
|
||||
AND al.user_id != ?
|
||||
AND al.created_at >= DATE_SUB(NOW(), INTERVAL 7 DAY)
|
||||
AND (t.assigned_to = ? OR t.created_by = ? OR tw.user_id IS NOT NULL)
|
||||
ORDER BY al.created_at DESC
|
||||
LIMIT 15";
|
||||
LIMIT 50";
|
||||
|
||||
$stmt = $conn->prepare($commentSql);
|
||||
$stmt->bind_param('iiii', $userId, $userId, $userId, $userId);
|
||||
$stmt->bind_param('i', $userId);
|
||||
$stmt->execute();
|
||||
$commentRows = $stmt->get_result()->fetch_all(MYSQLI_ASSOC);
|
||||
$rawCommentRows = $stmt->get_result()->fetch_all(MYSQLI_ASSOC);
|
||||
$stmt->close();
|
||||
|
||||
// Step C: filter to only comments on tickets the current user owns/watches
|
||||
$commentRows = [];
|
||||
foreach ($rawCommentRows as $rawRow) {
|
||||
$d = json_decode($rawRow['details'] ?? '{}', true) ?? [];
|
||||
$tid = (int)($d['ticket_id'] ?? 0);
|
||||
if ($tid > 0 && isset($myTicketIds[$tid])) {
|
||||
$commentRows[] = $rawRow;
|
||||
if (count($commentRows) >= 15) break;
|
||||
}
|
||||
}
|
||||
|
||||
// Query 3: Status changes on watched tickets (from other users)
|
||||
$statusSql = "SELECT DISTINCT
|
||||
al.log_id, al.action_type, al.entity_type, al.entity_id, al.details, al.created_at,
|
||||
@@ -98,7 +127,7 @@ $statusSql = "SELECT DISTINCT
|
||||
AND al.entity_type = 'ticket'
|
||||
AND al.user_id != ?
|
||||
AND al.created_at >= DATE_SUB(NOW(), INTERVAL 7 DAY)
|
||||
AND al.details LIKE '%\"field\":\"status\"%'
|
||||
AND al.details LIKE '%"status":%'
|
||||
ORDER BY al.created_at DESC
|
||||
LIMIT 10";
|
||||
|
||||
|
||||
Reference in New Issue
Block a user