Security hardening and performance improvements

- Add visibility check to attachment downloads (prevents unauthorized access) - Fix ticket ID collision with uniqueness verification loop - Harden CSP: replace unsafe-inline with nonce-based script execution - Add IP-based rate limiting (supplements session-based) - Add visibility checks to bulk operations - Validate internal visibility requires groups - Optimize user activity query (JOINs vs subqueries) - Update documentation with design decisions and security info Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 20:27:15 -05:00
parent a08390a500
commit fa40010287
17 changed files with 457 additions and 128 deletions
--- a/api/bulk_operation.php
+++ b/api/bulk_operation.php
@@ -55,6 +55,9 @@ foreach ($ticketIds as $ticketId) {
    }
 }

+// Create database connection (needed for visibility check)
+require_once dirname(__DIR__) . '/models/TicketModel.php';
+
 // Create database connection
 $conn = new mysqli(
    $GLOBALS['config']['DB_HOST'],
@@ -69,6 +72,33 @@ if ($conn->connect_error) {
 }

 $bulkOpsModel = new BulkOperationsModel($conn);
+$ticketModel = new TicketModel($conn);
+
+// Verify user can access all tickets in the bulk operation
+// (Admins can access all, but this is defense-in-depth)
+$accessibleTicketIds = [];
+$inaccessibleCount = 0;
+$tickets = $ticketModel->getTicketsByIds($ticketIds);
+
+foreach ($ticketIds as $ticketId) {
+    $ticketId = trim($ticketId);
+    $ticket = $tickets[$ticketId] ?? null;
+
+    if ($ticket && $ticketModel->canUserAccessTicket($ticket, $_SESSION['user'])) {
+        $accessibleTicketIds[] = $ticketId;
+    } else {
+        $inaccessibleCount++;
+    }
+}
+
+if (empty($accessibleTicketIds)) {
+    $conn->close();
+    echo json_encode(['success' => false, 'error' => 'No accessible tickets in selection']);
+    exit;
+}
+
+// Use only accessible ticket IDs
+$ticketIds = $accessibleTicketIds;

 // Create bulk operation record
 $operationId = $bulkOpsModel->createBulkOperation($operationType, $ticketIds, $_SESSION['user']['user_id'], $parameters);
@@ -90,11 +120,16 @@ if (isset($result['error'])) {
        'error' => $result['error']
    ]);
 } else {
+    $message = "Bulk operation completed: {$result['processed']} succeeded, {$result['failed']} failed";
+    if ($inaccessibleCount > 0) {
+        $message .= " ($inaccessibleCount skipped - no access)";
+    }
    echo json_encode([
        'success' => true,
        'operation_id' => $operationId,
        'processed' => $result['processed'],
        'failed' => $result['failed'],
-        'message' => "Bulk operation completed: {$result['processed']} succeeded, {$result['failed']} failed"
+        'skipped' => $inaccessibleCount,
+        'message' => $message
    ]);
 }