Audit fixes: security, dead code removal, API consolidation, JS dedup
Security: - Fix IDOR in delete/update comment (add ticket visibility check) - XSS defense-in-depth in DashboardView active filters - Replace innerHTML with DOM construction in toast.js - Remove redundant real_escape_string in check_duplicates - Add rate limiting to get_template, download_attachment, audit_log, saved_filters, user_preferences endpoints Bug fixes: - Session timeout now reads from config instead of hardcoded 18000 - TicketController uses $GLOBALS['config'] instead of duplicate .env parsing - Add DISCORD_WEBHOOK_URL to centralized config - Cleanup script uses hashmap for O(1) ticket ID lookups Dead code removal (~100 lines): - Remove dead getTicketComments() from TicketModel (wrong bind_param type) - Remove dead getCategories()/getTypes() from DashboardController - Remove ~80 lines dead Discord webhook code from update_ticket API Consolidation: - Create api/bootstrap.php for shared API setup (auth, CSRF, rate limit) - Convert 6 API endpoints to use bootstrap - Extract escapeHtml/getTicketIdFromUrl into shared utils.js - Batch save for user preferences (1 request instead of 7) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -4,36 +4,9 @@
|
||||
* Handles GET (fetch preferences) and POST (update preference)
|
||||
*/
|
||||
|
||||
require_once dirname(__DIR__) . '/config/config.php';
|
||||
require_once dirname(__DIR__) . '/helpers/Database.php';
|
||||
require_once __DIR__ . '/bootstrap.php';
|
||||
require_once dirname(__DIR__) . '/models/UserPreferencesModel.php';
|
||||
|
||||
session_start();
|
||||
header('Content-Type: application/json');
|
||||
|
||||
// Check authentication
|
||||
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
|
||||
http_response_code(401);
|
||||
echo json_encode(['success' => false, 'error' => 'Not authenticated']);
|
||||
exit;
|
||||
}
|
||||
|
||||
// CSRF Protection
|
||||
require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST' || $_SERVER['REQUEST_METHOD'] === 'DELETE') {
|
||||
$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
|
||||
if (!CsrfMiddleware::validateToken($csrfToken)) {
|
||||
http_response_code(403);
|
||||
echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
$userId = $_SESSION['user']['user_id'];
|
||||
|
||||
// Use centralized database connection
|
||||
$conn = Database::getConnection();
|
||||
|
||||
$prefsModel = new UserPreferencesModel($conn);
|
||||
|
||||
// GET - Fetch all preferences for user
|
||||
@@ -48,19 +21,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
exit;
|
||||
}
|
||||
|
||||
// POST - Update a preference
|
||||
// POST - Update preference(s)
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
$data = json_decode(file_get_contents('php://input'), true);
|
||||
|
||||
if (!isset($data['key']) || !isset($data['value'])) {
|
||||
http_response_code(400);
|
||||
echo json_encode(['success' => false, 'error' => 'Missing key or value']);
|
||||
exit;
|
||||
}
|
||||
|
||||
$key = trim($data['key']);
|
||||
$value = $data['value'];
|
||||
|
||||
// Validate preference key (whitelist)
|
||||
$validKeys = [
|
||||
'rows_per_page',
|
||||
@@ -71,10 +35,39 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
'toast_duration'
|
||||
];
|
||||
|
||||
// Support batch save: { preferences: { key: value, ... } }
|
||||
if (isset($data['preferences']) && is_array($data['preferences'])) {
|
||||
try {
|
||||
foreach ($data['preferences'] as $key => $value) {
|
||||
$key = trim($key);
|
||||
if (!in_array($key, $validKeys)) continue;
|
||||
$prefsModel->setPreference($userId, $key, $value);
|
||||
if ($key === 'rows_per_page') {
|
||||
setcookie('ticketsPerPage', $value, time() + (86400 * 365), '/');
|
||||
}
|
||||
}
|
||||
echo json_encode(['success' => true]);
|
||||
} catch (Exception $e) {
|
||||
http_response_code(500);
|
||||
echo json_encode(['success' => false, 'error' => 'Failed to save preferences']);
|
||||
}
|
||||
exit;
|
||||
}
|
||||
|
||||
// Single preference: { key, value }
|
||||
if (!isset($data['key']) || !isset($data['value'])) {
|
||||
http_response_code(400);
|
||||
echo json_encode(['success' => false, 'error' => 'Missing key or value']);
|
||||
exit;
|
||||
}
|
||||
|
||||
$key = trim($data['key']);
|
||||
$value = $data['value'];
|
||||
|
||||
if (!in_array($key, $validKeys)) {
|
||||
http_response_code(400);
|
||||
echo json_encode(['success' => false, 'error' => 'Invalid preference key']);
|
||||
exit;
|
||||
exit;
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -100,7 +93,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'DELETE') {
|
||||
if (!isset($data['key'])) {
|
||||
http_response_code(400);
|
||||
echo json_encode(['success' => false, 'error' => 'Missing key']);
|
||||
exit;
|
||||
exit;
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -116,5 +109,3 @@ if ($_SERVER['REQUEST_METHOD'] === 'DELETE') {
|
||||
// Method not allowed
|
||||
http_response_code(405);
|
||||
echo json_encode(['success' => false, 'error' => 'Method not allowed']);
|
||||
$conn->close();
|
||||
?>
|
||||
|
||||
Reference in New Issue
Block a user