tinker_tickets

LotusGuild/tinker_tickets

Fork 0

Commit Graph

Author	SHA1	Message	Date
jared	2e450dc01d	Apply web_template gap analysis improvements (P1-P3) P1-A: Fix CSP - add fonts.googleapis.com to style-src, fonts.gstatic.com to font-src P1-B: CSRF token rotation - add rotateToken() to CsrfMiddleware; bootstrap.php rotates after successful validation and stores in $GLOBALS['_new_csrf_token']; add apiRespond() helper to append token to responses; lt.api interceptor in layout_footer.php auto-updates window.CSRF_TOKEN from responses P1-C: Styled 403/404 error views with TDS layout instead of raw text; index.php now uses requireAdmin() helper eliminating 7 duplicated guard blocks (P3-D) P2-A: Remove duplicate JS-generated keyboard help modal from keyboard-shortcuts.js; '?' key now routes to static #lt-keys-help modal in footer P2-B: Asset versioning driven by config ASSET_VERSION key; base.css and base.js get ?v= cache-busting in layout_header.php P2-C: Add data-theme="dark" to <html> tag to prevent FOUC on light-mode users P2-E: Escape status value in dashboard.js hover preview class attribute via lt.escHtml() P2-F: Replace bespoke showLoadingOverlay() with lt-spinner / lt-loading-text from base.css; add .lt-loading-overlay wrapper CSS to dashboard.css P2-G: Add keyboard-shortcuts.js to all 7 admin views so J/K nav and ? help work P3-A: APP_NAME, APP_SUBTITLE, APP_VERSION driven from config.php; layout header/footer use config values instead of hardcoded strings P3-G: Replace custom initTableSorting() with lt.sortTable.init() which manages aria-sort Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-29 17:02:40 -04:00
jared	bcc163bc77	Audit fixes: security, dead code removal, API consolidation, JS dedup Security: - Fix IDOR in delete/update comment (add ticket visibility check) - XSS defense-in-depth in DashboardView active filters - Replace innerHTML with DOM construction in toast.js - Remove redundant real_escape_string in check_duplicates - Add rate limiting to get_template, download_attachment, audit_log, saved_filters, user_preferences endpoints Bug fixes: - Session timeout now reads from config instead of hardcoded 18000 - TicketController uses $GLOBALS['config'] instead of duplicate .env parsing - Add DISCORD_WEBHOOK_URL to centralized config - Cleanup script uses hashmap for O(1) ticket ID lookups Dead code removal (~100 lines): - Remove dead getTicketComments() from TicketModel (wrong bind_param type) - Remove dead getCategories()/getTypes() from DashboardController - Remove ~80 lines dead Discord webhook code from update_ticket API Consolidation: - Create api/bootstrap.php for shared API setup (auth, CSRF, rate limit) - Convert 6 API endpoints to use bootstrap - Extract escapeHtml/getTicketIdFromUrl into shared utils.js - Batch save for user preferences (1 request instead of 7) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-11 14:50:06 -05:00

Author

SHA1

Message

Date

jared

2e450dc01d

Apply web_template gap analysis improvements (P1-P3)

P1-A: Fix CSP - add fonts.googleapis.com to style-src, fonts.gstatic.com to font-src
P1-B: CSRF token rotation - add rotateToken() to CsrfMiddleware; bootstrap.php rotates
      after successful validation and stores in $GLOBALS['_new_csrf_token']; add
      apiRespond() helper to append token to responses; lt.api interceptor in
      layout_footer.php auto-updates window.CSRF_TOKEN from responses
P1-C: Styled 403/404 error views with TDS layout instead of raw text; index.php now
      uses requireAdmin() helper eliminating 7 duplicated guard blocks (P3-D)
P2-A: Remove duplicate JS-generated keyboard help modal from keyboard-shortcuts.js;
      '?' key now routes to static #lt-keys-help modal in footer
P2-B: Asset versioning driven by config ASSET_VERSION key; base.css and base.js get
      ?v= cache-busting in layout_header.php
P2-C: Add data-theme="dark" to <html> tag to prevent FOUC on light-mode users
P2-E: Escape status value in dashboard.js hover preview class attribute via lt.escHtml()
P2-F: Replace bespoke showLoadingOverlay() with lt-spinner / lt-loading-text from
      base.css; add .lt-loading-overlay wrapper CSS to dashboard.css
P2-G: Add keyboard-shortcuts.js to all 7 admin views so J/K nav and ? help work
P3-A: APP_NAME, APP_SUBTITLE, APP_VERSION driven from config.php; layout header/footer
      use config values instead of hardcoded strings
P3-G: Replace custom initTableSorting() with lt.sortTable.init() which manages aria-sort

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-29 17:02:40 -04:00

jared

bcc163bc77

Audit fixes: security, dead code removal, API consolidation, JS dedup

Security:
- Fix IDOR in delete/update comment (add ticket visibility check)
- XSS defense-in-depth in DashboardView active filters
- Replace innerHTML with DOM construction in toast.js
- Remove redundant real_escape_string in check_duplicates
- Add rate limiting to get_template, download_attachment, audit_log,
  saved_filters, user_preferences endpoints

Bug fixes:
- Session timeout now reads from config instead of hardcoded 18000
- TicketController uses $GLOBALS['config'] instead of duplicate .env parsing
- Add DISCORD_WEBHOOK_URL to centralized config
- Cleanup script uses hashmap for O(1) ticket ID lookups

Dead code removal (~100 lines):
- Remove dead getTicketComments() from TicketModel (wrong bind_param type)
- Remove dead getCategories()/getTypes() from DashboardController
- Remove ~80 lines dead Discord webhook code from update_ticket API

Consolidation:
- Create api/bootstrap.php for shared API setup (auth, CSRF, rate limit)
- Convert 6 API endpoints to use bootstrap
- Extract escapeHtml/getTicketIdFromUrl into shared utils.js
- Batch save for user preferences (1 request instead of 7)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-11 14:50:06 -05:00

2 Commits