From d33f761a55a043b7ddb40c3cf6a0d0a31c67bb1f Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Sat, 28 Mar 2026 22:35:48 -0400
Subject: [PATCH] Fix loose comparisons in authorization checks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- TicketModel.php: fix bind_param "sssi"→"issi" for ticketId in addComment()
- TicketModel.php: use strict (int) cast === for confidential ticket access check
- update_ticket.php: use strict (int) cast !== for creator/assignee auth check
- AttachmentModel.php: use strict (int) cast === for upload ownership check

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 api/update_ticket.php      | 4 ++--
 models/AttachmentModel.php | 2 +-
 models/TicketModel.php     | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/api/update_ticket.php b/api/update_ticket.php
index 592fb03..f4f3ac1 100644
--- a/api/update_ticket.php
+++ b/api/update_ticket.php
@@ -92,8 +92,8 @@ try {
 
             // Authorization: admins can edit any ticket; others only their own or assigned
             if (!$this->isAdmin
-                && $currentTicket['created_by'] != $this->userId
-                && $currentTicket['assigned_to'] != $this->userId
+                && (int)$currentTicket['created_by'] !== (int)$this->userId
+                && (int)$currentTicket['assigned_to'] !== (int)$this->userId
             ) {
                 return [
                     'success' => false,
diff --git a/models/AttachmentModel.php b/models/AttachmentModel.php
index 82c4626..c5d6ac4 100644
--- a/models/AttachmentModel.php
+++ b/models/AttachmentModel.php
@@ -131,7 +131,7 @@ class AttachmentModel {
         }
 
         $attachment = $this->getAttachment($attachmentId);
-        return $attachment && $attachment['uploaded_by'] == $userId;
+        return $attachment && (int)$attachment['uploaded_by'] === (int)$userId;
     }
 
     /**
diff --git a/models/TicketModel.php b/models/TicketModel.php
index b3f8b53..74bffa3 100644
--- a/models/TicketModel.php
+++ b/models/TicketModel.php
@@ -468,7 +468,7 @@ class TicketModel {
         $markdownEnabled = $commentData['markdown_enabled'] ? 1 : 0;
         
         $stmt->bind_param(
-            "sssi",
+            "issi",
             $ticketId,
             $username,
             $commentData['comment_text'],
@@ -591,7 +591,7 @@ class TicketModel {
         // Confidential tickets: only creator, assignee, and admins
         if ($visibility === 'confidential') {
             $userId = $user['user_id'] ?? null;
-            return ($ticket['created_by'] == $userId || $ticket['assigned_to'] == $userId);
+            return ((int)$ticket['created_by'] === (int)$userId || (int)$ticket['assigned_to'] === (int)$userId);
         }
 
         // Internal tickets: check if user is in any of the allowed groups