Audit fixes: security, dead code removal, API consolidation, JS dedup

Security: - Fix IDOR in delete/update comment (add ticket visibility check) - XSS defense-in-depth in DashboardView active filters - Replace innerHTML with DOM construction in toast.js - Remove redundant real_escape_string in check_duplicates - Add rate limiting to get_template, download_attachment, audit_log, saved_filters, user_preferences endpoints Bug fixes: - Session timeout now reads from config instead of hardcoded 18000 - TicketController uses $GLOBALS['config'] instead of duplicate .env parsing - Add DISCORD_WEBHOOK_URL to centralized config - Cleanup script uses hashmap for O(1) ticket ID lookups Dead code removal (~100 lines): - Remove dead getTicketComments() from TicketModel (wrong bind_param type) - Remove dead getCategories()/getTypes() from DashboardController - Remove ~80 lines dead Discord webhook code from update_ticket API Consolidation: - Create api/bootstrap.php for shared API setup (auth, CSRF, rate limit) - Convert 6 API endpoints to use bootstrap - Extract escapeHtml/getTicketIdFromUrl into shared utils.js - Batch save for user preferences (1 request instead of 7) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 14:50:06 -05:00
parent 15063838bd
commit bcc163bc77
26 changed files with 197 additions and 389 deletions
--- a/assets/js/settings.js
+++ b/assets/js/settings.js
@@ -94,22 +94,20 @@ async function saveSettings() {
    };

    try {
-        // Save each preference
-        for (const [key, value] of Object.entries(prefs)) {
-            const response = await fetch('/api/user_preferences.php', {
-                method: 'POST',
-                credentials: 'same-origin',
-                headers: {
-                    'Content-Type': 'application/json',
-                    'X-CSRF-Token': window.CSRF_TOKEN
-                },
-                body: JSON.stringify({ key, value })
-            });
+        // Batch save all preferences in one request
+        const response = await fetch('/api/user_preferences.php', {
+            method: 'POST',
+            credentials: 'same-origin',
+            headers: {
+                'Content-Type': 'application/json',
+                'X-CSRF-Token': window.CSRF_TOKEN
+            },
+            body: JSON.stringify({ preferences: prefs })
+        });

-            const result = await response.json();
-            if (!result.success) {
-                throw new Error(`Failed to save ${key}`);
-            }
+        const result = await response.json();
+        if (!result.success) {
+            throw new Error('Failed to save preferences');
        }

        if (typeof toast !== 'undefined') {