Audit fixes: security, dead code removal, API consolidation, JS dedup
Security: - Fix IDOR in delete/update comment (add ticket visibility check) - XSS defense-in-depth in DashboardView active filters - Replace innerHTML with DOM construction in toast.js - Remove redundant real_escape_string in check_duplicates - Add rate limiting to get_template, download_attachment, audit_log, saved_filters, user_preferences endpoints Bug fixes: - Session timeout now reads from config instead of hardcoded 18000 - TicketController uses $GLOBALS['config'] instead of duplicate .env parsing - Add DISCORD_WEBHOOK_URL to centralized config - Cleanup script uses hashmap for O(1) ticket ID lookups Dead code removal (~100 lines): - Remove dead getTicketComments() from TicketModel (wrong bind_param type) - Remove dead getCategories()/getTypes() from DashboardController - Remove ~80 lines dead Discord webhook code from update_ticket API Consolidation: - Create api/bootstrap.php for shared API setup (auth, CSRF, rate limit) - Convert 6 API endpoints to use bootstrap - Extract escapeHtml/getTicketIdFromUrl into shared utils.js - Batch save for user preferences (1 request instead of 7) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -187,12 +187,5 @@ class DashboardController {
|
||||
return ['categories' => $categories, 'types' => $types];
|
||||
}
|
||||
|
||||
private function getCategories(): array {
|
||||
return $this->getCategoriesAndTypes()['categories'];
|
||||
}
|
||||
|
||||
private function getTypes(): array {
|
||||
return $this->getCategoriesAndTypes()['types'];
|
||||
}
|
||||
}
|
||||
?>
|
||||
@@ -15,7 +15,6 @@ class TicketController {
|
||||
private $userModel;
|
||||
private $workflowModel;
|
||||
private $templateModel;
|
||||
private $envVars;
|
||||
private $conn;
|
||||
|
||||
public function __construct($conn) {
|
||||
@@ -26,26 +25,6 @@ class TicketController {
|
||||
$this->userModel = new UserModel($conn);
|
||||
$this->workflowModel = new WorkflowModel($conn);
|
||||
$this->templateModel = new TemplateModel($conn);
|
||||
|
||||
// Load environment variables for Discord webhook
|
||||
$envPath = dirname(__DIR__) . '/.env';
|
||||
$this->envVars = [];
|
||||
if (file_exists($envPath)) {
|
||||
$lines = file($envPath, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
|
||||
foreach ($lines as $line) {
|
||||
if (strpos($line, '=') !== false && strpos($line, '#') !== 0) {
|
||||
list($key, $value) = explode('=', $line, 2);
|
||||
$key = trim($key);
|
||||
$value = trim($value);
|
||||
// Remove surrounding quotes if present
|
||||
if ((substr($value, 0, 1) === '"' && substr($value, -1) === '"') ||
|
||||
(substr($value, 0, 1) === "'" && substr($value, -1) === "'")) {
|
||||
$value = substr($value, 1, -1);
|
||||
}
|
||||
$this->envVars[$key] = $value;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public function view($id) {
|
||||
@@ -217,13 +196,12 @@ class TicketController {
|
||||
}
|
||||
|
||||
private function sendDiscordWebhook($ticketId, $ticketData) {
|
||||
if (!isset($this->envVars['DISCORD_WEBHOOK_URL']) || empty($this->envVars['DISCORD_WEBHOOK_URL'])) {
|
||||
$webhookUrl = $GLOBALS['config']['DISCORD_WEBHOOK_URL'] ?? null;
|
||||
if (empty($webhookUrl)) {
|
||||
error_log("Discord webhook URL not configured, skipping webhook for ticket creation");
|
||||
return;
|
||||
}
|
||||
|
||||
$webhookUrl = $this->envVars['DISCORD_WEBHOOK_URL'];
|
||||
|
||||
// Create ticket URL using validated host
|
||||
$ticketUrl = UrlHelper::ticketUrl($ticketId);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user