Jared Vititoe 84cc023bc4 Enforce ticket visibility on attachment and update endpoints ...

- delete_attachment.php: check canUserAccessTicket() before allowing deletion; return 404 (not 403) for inaccessible tickets to prevent existence leakage
- upload_attachment.php: verify ticket access on both GET (list) and POST (upload) before processing
- update_ticket.php: pass currentUser to controller; add canUserAccessTicket() check before permission check; return 404 for inaccessible tickets instead of leaking existence via 403

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-20 21:42:47 -04:00

7.2 KiB

Raw Blame History

View Raw