Security: add authorization checks to ticket_dependencies API

- POST /ticket_dependencies: verify user can access both the source
  ticket and the target ticket before creating a dependency
- DELETE by ticket IDs: verify user can access source ticket; also
  validate dependency_type against the allowed whitelist
- DELETE by dependency_id: look up dependency's ticket before deletion
  and verify user can access it, preventing IDOR
- custom_fields.php: validate json_decode returns an array on POST/PUT;
  add http_response_code(400) to all error responses

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/custom_fields.php

@@ -66,23 +66,35 @@ try {
 
         case 'POST':
             $data = json_decode(file_get_contents('php://input'), true);
+            if (!is_array($data)) {
+                http_response_code(400);
+                echo json_encode(['success' => false, 'error' => 'Invalid JSON']);
+                exit;
+            }
             $result = $model->createDefinition($data);
             echo json_encode($result);
             break;
 
         case 'PUT':
             if (!$id) {
+                http_response_code(400);
                 echo json_encode(['success' => false, 'error' => 'ID required']);
                 exit;
             }
 
             $data = json_decode(file_get_contents('php://input'), true);
+            if (!is_array($data)) {
+                http_response_code(400);
+                echo json_encode(['success' => false, 'error' => 'Invalid JSON']);
+                exit;
+            }
             $result = $model->updateDefinition($id, $data);
             echo json_encode($result);
             break;
 
         case 'DELETE':
             if (!$id) {
+                http_response_code(400);
                 echo json_encode(['success' => false, 'error' => 'ID required']);
                 exit;
             }