LotusGuild/tinker_tickets
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
233 Commits 2 Branches 0 Tags
main
Commit Graph

7 Commits

Author SHA1 Message Date
Jared Vititoe
89a685a502 Integrate web_template design system and fix security/quality issues 
Security fixes:
- Add HTTP method validation to delete_comment.php (block CSRF via GET)
- Remove $_GET fallback in comment deletion (was CSRF bypass vector)
- Guard session_start() with session_status() check across API files
- Escape json_encode() data attributes with htmlspecialchars in views
- Escape inline APP_TIMEZONE config values in DashboardView/TicketView
- Validate timezone param against DateTimeZone::listIdentifiers() in index.php
- Remove Database::escape() (was using real_escape_string, not safe)
- Fix AttachmentModel hardcoded connection; inject via constructor

Backend fixes:
- Fix CommentModel bind_param type for ticket_id (s→i)
- Fix buildCommentThread orphan parent guard
- Fix StatsModel JOIN→LEFT JOIN so unassigned tickets aren't excluded
- Add ticket ID validation in BulkOperationsModel before implode()
- Add duplicate key retry in TicketModel::createTicket() for race conditions
- Wrap SavedFiltersModel default filter changes in transactions
- Add null result guards in WorkflowModel query methods

Frontend JS:
- Rewrite toast.js as lt.toast shim (base.js dependency)
- Delegate escapeHtml() to lt.escHtml()
- Rewrite keyboard-shortcuts.js using lt.keys.on()
- Migrate settings.js to lt.api.* and lt.modal.open/close()
- Migrate advanced-search.js to lt.api.* and lt.modal.open/close()
- Migrate dashboard.js fetch calls to lt.api.*; update all dynamic
  modals (bulk ops, quick actions, confirm/input) to lt-modal structure
- Migrate ticket.js fetchMentionUsers to lt.api.get()
- Remove console.log/error/warn calls from JS files

Views:
- Add /web_template/base.css and base.js to all 10 view files
- Call lt.keys.initDefaults() in DashboardView, TicketView, admin views
- Migrate all modal HTML from settings-modal/settings-content to
  lt-modal-overlay/lt-modal/lt-modal-header/lt-modal-body/lt-modal-footer
- Replace style="display:none" with aria-hidden="true" on all modals
- Replace modal open/close style.display with lt.modal.open/close()
- Update modal buttons to lt-btn lt-btn-primary/lt-btn-ghost classes
- Remove manual ESC keydown handlers (replaced by lt.keys.initDefaults)
- Fix unescaped timezone values in TicketView inline script

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-17 23:22:24 -04:00
Jared Vititoe
44f2c21f2d Add query optimization and reliability improvements 
- Consolidate StatsModel queries from 12 to 3 using conditional aggregation
- Add input validation to DashboardController (sort columns, dates, priorities)
- Combine getCategories/getTypes into single query
- Add transaction support to BulkOperationsModel with atomic mode option
- Add depth limit (20) to dependency cycle detection to prevent DoS
- Add caching to UserModel.getAllGroups() with 5-minute TTL
- Improve ticket ID generation with 50 attempts, exponential backoff, and fallback

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-30 18:31:46 -05:00
Jared Vititoe
7575d6a277 Add performance, security, and reliability improvements 
- Consolidate all 20 API files to use centralized Database helper
- Add optimistic locking to ticket updates to prevent concurrent conflicts
- Add caching to StatsModel (60s TTL) for dashboard performance
- Add health check endpoint (api/health.php) for monitoring
- Improve rate limit cleanup with cron script and efficient DirectoryIterator
- Enable rate limit response headers (X-RateLimit-*)
- Add audit logging for workflow transitions
- Log Discord webhook failures instead of silencing
- Fix visibility check on export_tickets.php
- Add database migration system with performance indexes
- Fix cron recurring tickets to use assignTicket method

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-30 14:39:13 -05:00
Jared Vititoe
4a05c82852 perf: Eliminate N+1 queries in bulk operations with batch loading 
Performance optimization to address N+1 query problem:

1. TicketModel.php:
   - Added getTicketsByIds() method for batch loading
   - Loads multiple tickets in single query using IN clause
   - Returns associative array keyed by ticket_id
   - Includes all JOINs for creator/updater/assignee data

2. BulkOperationsModel.php:
   - Pre-load all tickets at start of processOperation()
   - Replaced 3x getTicketById() calls with array lookups
   - Benefits bulk_close, bulk_priority, and bulk_status operations

Performance Impact:
- Before: 100 tickets = ~100 database queries
- After: 100 tickets = ~2 database queries (1 batch + 100 updates)
- 30-50% faster bulk operations on large ticket sets

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-01-09 16:24:36 -05:00
Jared Vititoe
2633d0f962 remove bulk delete 2026-01-08 23:35:49 -05:00
Jared Vititoe
2e7956ce40 Bulk actions update 2026-01-08 23:30:25 -05:00
Jared Vititoe
ac094c8706 Feature 5: Implement Bulk Actions (Admin Only) 
Add comprehensive bulk operations system for admins:

- Created BulkOperationsModel.php with operation tracking and processing
- Added bulk_operation.php API endpoint for bulk operations
- Created get_users.php API endpoint for user dropdown in bulk assign
- Updated DashboardView.php with checkboxes and bulk actions toolbar
- Added JavaScript functions for:
  - Select all/clear selection
  - Bulk close tickets
  - Bulk assign tickets
  - Bulk change priority
- Added comprehensive CSS for bulk actions toolbar and modals
- All bulk operations are admin-only (enforced server-side)
- Operations tracked in bulk_operations table with audit logging
- Supports bulk_close, bulk_assign, and bulk_priority operations

Admins can now select multiple tickets and perform batch operations, significantly improving workflow efficiency.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-01-01 19:06:33 -05:00