LotusGuild/tinker_tickets
3
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Fix delete_attachment.php AuditLogModel calls

Browse Source 
- Add session status check
- Remove broken AuditLogModel call without $conn in CSRF check
- Fix AuditLogModel instantiation with proper $conn parameter
- Fix log() call to pass array instead of JSON string for details

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-01-20 17:00:54 -05:00
parent 10d5075f2d
commit ebf318f8af
1 changed files with 30 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
api/delete_attachment.php
View File

@@ -5,11 +5,19 @@
* Handles deletion of ticket attachments * Handles deletion of ticket attachments
*/ */
// Apply rate limiting // Capture errors for debugging
ini_set('display_errors', 0);
error_reporting(E_ALL);
// Apply rate limiting (also starts session)
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php'; require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api'); RateLimitMiddleware::apply('api');
session_start(); // Ensure session is started
if (session_status() === PHP_SESSION_NONE) {
session_start();
}
require_once dirname(__DIR__) . '/config/config.php'; require_once dirname(__DIR__) . '/config/config.php';
require_once dirname(__DIR__) . '/helpers/ResponseHelper.php'; require_once dirname(__DIR__) . '/helpers/ResponseHelper.php';
require_once dirname(__DIR__) . '/models/AttachmentModel.php'; require_once dirname(__DIR__) . '/models/AttachmentModel.php';
@@ -37,8 +45,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// Verify CSRF token // Verify CSRF token
$csrfToken = $input['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? ''; $csrfToken = $input['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
if (!CsrfMiddleware::validateToken($csrfToken)) { if (!CsrfMiddleware::validateToken($csrfToken)) {
$auditLog = new AuditLogModel();
$auditLog->logCsrfFailure($_SESSION['user']['user_id'] ?? null, 'delete_attachment');
ResponseHelper::forbidden('Invalid CSRF token'); ResponseHelper::forbidden('Invalid CSRF token');
} }
@@ -81,19 +87,27 @@ try {
} }
// Log the deletion // Log the deletion
$auditLog = new AuditLogModel(); $conn = new mysqli(
$GLOBALS['config']['DB_HOST'],
$GLOBALS['config']['DB_USER'],
$GLOBALS['config']['DB_PASS'],
$GLOBALS['config']['DB_NAME']
);
if (!$conn->connect_error) {
$auditLog = new AuditLogModel($conn);
$auditLog->log( $auditLog->log(
$_SESSION['user']['user_id'], $_SESSION['user']['user_id'],
'attachment_delete', 'attachment_delete',
'ticket_attachments', 'ticket_attachments',
$attachmentId, (string)$attachmentId,
json_encode([ [
'ticket_id' => $attachment['ticket_id'], 'ticket_id' => $attachment['ticket_id'],
'filename' => $attachment['original_filename'], 'filename' => $attachment['original_filename'],
'size' => $attachment['file_size'] 'size' => $attachment['file_size']
]), ]
null
); );
$conn->close();
}
ResponseHelper::success([], 'Attachment deleted successfully'); ResponseHelper::success([], 'Attachment deleted successfully');