Merge branch 'development'

assign_ticket.php: preserve string ticket ID (ctype_digit validation)
  instead of (int) cast for consistent audit logging and URL generation.

delete_attachment.php: use string ticket_id from DB for the upload
  directory path — (int) cast was stripping leading zeros, causing
  the wrong path (/uploads/123456/) instead of /uploads/000123456/.
  Also pass raw string to getTicketById() to let TicketModel handle
  type coercion.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/assign_ticket.php

@@ -14,14 +14,15 @@ if (!is_array($data)) {
     exit;
 }
 
-$ticketId = isset($data['ticket_id']) ? (int)$data['ticket_id'] : 0;
+$ticketIdRaw = isset($data['ticket_id']) ? trim((string)$data['ticket_id']) : '';
 $assignedTo = $data['assigned_to'] ?? null;
 
-if ($ticketId <= 0) {
+if (!ctype_digit($ticketIdRaw) || (int)$ticketIdRaw <= 0) {
     http_response_code(400);
     echo json_encode(['success' => false, 'error' => 'Ticket ID required']);
     exit;
 }
+$ticketId = $ticketIdRaw;
 
 $ticketModel = new TicketModel($conn);
 $auditLogModel = new AuditLogModel($conn);

api/delete_attachment.php

@@ -67,7 +67,7 @@ try {
 
     // Verify user can access the parent ticket
     $ticketModel = new TicketModel(Database::getConnection());
-    $ticket = $ticketModel->getTicketById((int)$attachment['ticket_id']);
+    $ticket = $ticketModel->getTicketById($attachment['ticket_id']);
     if (!$ticket || !$ticketModel->canUserAccessTicket($ticket, $_SESSION['user'])) {
         ResponseHelper::notFound('Attachment not found');
     }
@@ -80,7 +80,7 @@ try {
 
     // Delete the file — use realpath() to prevent path traversal
     $uploadDir = realpath($GLOBALS['config']['UPLOAD_DIR'] ?? dirname(__DIR__) . '/uploads');
-    $filePath  = $uploadDir . '/' . (int)$attachment['ticket_id'] . '/' . $attachment['filename'];
+    $filePath  = $uploadDir . '/' . $attachment['ticket_id'] . '/' . $attachment['filename'];
     $realPath  = realpath($filePath);
 
     if ($realPath !== false) {