false, 'error' => 'Not authenticated']); exit; } // CSRF Protection require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php'; if ($_SERVER['REQUEST_METHOD'] === 'POST' || $_SERVER['REQUEST_METHOD'] === 'DELETE') { $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? ''; if (!CsrfMiddleware::validateToken($csrfToken)) { http_response_code(403); echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']); exit; } } $userId = $_SESSION['user']['user_id']; // Use centralized database connection $conn = Database::getConnection(); $prefsModel = new UserPreferencesModel($conn); // GET - Fetch all preferences for user if ($_SERVER['REQUEST_METHOD'] === 'GET') { try { $prefs = $prefsModel->getUserPreferences($userId); echo json_encode(['success' => true, 'preferences' => $prefs]); } catch (Exception $e) { http_response_code(500); echo json_encode(['success' => false, 'error' => 'Failed to fetch preferences']); } exit; } // POST - Update a preference if ($_SERVER['REQUEST_METHOD'] === 'POST') { $data = json_decode(file_get_contents('php://input'), true); if (!isset($data['key']) || !isset($data['value'])) { http_response_code(400); echo json_encode(['success' => false, 'error' => 'Missing key or value']); exit; } $key = trim($data['key']); $value = $data['value']; // Validate preference key (whitelist) $validKeys = [ 'rows_per_page', 'default_status_filters', 'table_density', 'notifications_enabled', 'sound_effects', 'toast_duration' ]; if (!in_array($key, $validKeys)) { http_response_code(400); echo json_encode(['success' => false, 'error' => 'Invalid preference key']); exit; } try { $success = $prefsModel->setPreference($userId, $key, $value); // Also update cookie for rows_per_page for backwards compatibility if ($key === 'rows_per_page') { setcookie('ticketsPerPage', $value, time() + (86400 * 365), '/'); } echo json_encode(['success' => $success]); } catch (Exception $e) { http_response_code(500); echo json_encode(['success' => false, 'error' => 'Failed to save preference']); } exit; } // DELETE - Delete a preference (optional endpoint) if ($_SERVER['REQUEST_METHOD'] === 'DELETE') { $data = json_decode(file_get_contents('php://input'), true); if (!isset($data['key'])) { http_response_code(400); echo json_encode(['success' => false, 'error' => 'Missing key']); exit; } try { $success = $prefsModel->deletePreference($userId, $data['key']); echo json_encode(['success' => $success]); } catch (Exception $e) { http_response_code(500); echo json_encode(['success' => false, 'error' => 'Failed to delete preference']); } exit; } // Method not allowed http_response_code(405); echo json_encode(['success' => false, 'error' => 'Method not allowed']); $conn->close(); ?>