Jared Vititoe
89a685a502
Security fixes: - Add HTTP method validation to delete_comment.php (block CSRF via GET) - Remove $_GET fallback in comment deletion (was CSRF bypass vector) - Guard session_start() with session_status() check across API files - Escape json_encode() data attributes with htmlspecialchars in views - Escape inline APP_TIMEZONE config values in DashboardView/TicketView - Validate timezone param against DateTimeZone::listIdentifiers() in index.php - Remove Database::escape() (was using real_escape_string, not safe) - Fix AttachmentModel hardcoded connection; inject via constructor Backend fixes: - Fix CommentModel bind_param type for ticket_id (s→i) - Fix buildCommentThread orphan parent guard - Fix StatsModel JOIN→LEFT JOIN so unassigned tickets aren't excluded - Add ticket ID validation in BulkOperationsModel before implode() - Add duplicate key retry in TicketModel::createTicket() for race conditions - Wrap SavedFiltersModel default filter changes in transactions - Add null result guards in WorkflowModel query methods Frontend JS: - Rewrite toast.js as lt.toast shim (base.js dependency) - Delegate escapeHtml() to lt.escHtml() - Rewrite keyboard-shortcuts.js using lt.keys.on() - Migrate settings.js to lt.api.* and lt.modal.open/close() - Migrate advanced-search.js to lt.api.* and lt.modal.open/close() - Migrate dashboard.js fetch calls to lt.api.*; update all dynamic modals (bulk ops, quick actions, confirm/input) to lt-modal structure - Migrate ticket.js fetchMentionUsers to lt.api.get() - Remove console.log/error/warn calls from JS files Views: - Add /web_template/base.css and base.js to all 10 view files - Call lt.keys.initDefaults() in DashboardView, TicketView, admin views - Migrate all modal HTML from settings-modal/settings-content to lt-modal-overlay/lt-modal/lt-modal-header/lt-modal-body/lt-modal-footer - Replace style="display:none" with aria-hidden="true" on all modals - Replace modal open/close style.display with lt.modal.open/close() - Update modal buttons to lt-btn lt-btn-primary/lt-btn-ghost classes - Remove manual ESC keydown handlers (replaced by lt.keys.initDefaults) - Fix unescaped timezone values in TicketView inline script Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
150 lines
4.6 KiB
PHP
150 lines
4.6 KiB
PHP
<?php
|
|
/**
|
|
* WorkflowModel - Handles status transition workflows and validation
|
|
*
|
|
* Uses caching for frequently accessed transition rules since they rarely change.
|
|
*/
|
|
require_once dirname(__DIR__) . '/helpers/CacheHelper.php';
|
|
|
|
class WorkflowModel {
|
|
private mysqli $conn;
|
|
private static string $CACHE_PREFIX = 'workflow';
|
|
private static int $CACHE_TTL = 600; // 10 minutes
|
|
|
|
public function __construct(mysqli $conn) {
|
|
$this->conn = $conn;
|
|
}
|
|
|
|
/**
|
|
* Get all active transitions (with caching)
|
|
*
|
|
* @return array All active transitions indexed by from_status
|
|
*/
|
|
private function getAllTransitions(): array {
|
|
return CacheHelper::remember(self::$CACHE_PREFIX, 'all_transitions', function() {
|
|
$sql = "SELECT from_status, to_status, requires_comment, requires_admin
|
|
FROM status_transitions
|
|
WHERE is_active = TRUE";
|
|
$result = $this->conn->query($sql);
|
|
|
|
if (!$result) {
|
|
return [];
|
|
}
|
|
|
|
$transitions = [];
|
|
while ($row = $result->fetch_assoc()) {
|
|
$from = $row['from_status'];
|
|
if (!isset($transitions[$from])) {
|
|
$transitions[$from] = [];
|
|
}
|
|
$transitions[$from][$row['to_status']] = [
|
|
'to_status' => $row['to_status'],
|
|
'requires_comment' => (bool)$row['requires_comment'],
|
|
'requires_admin' => (bool)$row['requires_admin']
|
|
];
|
|
}
|
|
|
|
return $transitions;
|
|
}, self::$CACHE_TTL);
|
|
}
|
|
|
|
/**
|
|
* Get allowed status transitions for a given status
|
|
*
|
|
* @param string $currentStatus Current ticket status
|
|
* @return array Array of allowed transitions with requirements
|
|
*/
|
|
public function getAllowedTransitions(string $currentStatus): array {
|
|
$allTransitions = $this->getAllTransitions();
|
|
|
|
if (!isset($allTransitions[$currentStatus])) {
|
|
return [];
|
|
}
|
|
|
|
return array_values($allTransitions[$currentStatus]);
|
|
}
|
|
|
|
/**
|
|
* Check if a status transition is allowed
|
|
*
|
|
* @param string $fromStatus Current status
|
|
* @param string $toStatus Desired status
|
|
* @param bool $isAdmin Whether user is admin
|
|
* @return bool True if transition is allowed
|
|
*/
|
|
public function isTransitionAllowed(string $fromStatus, string $toStatus, bool $isAdmin = false): bool {
|
|
// Allow same status (no change)
|
|
if ($fromStatus === $toStatus) {
|
|
return true;
|
|
}
|
|
|
|
$allTransitions = $this->getAllTransitions();
|
|
|
|
if (!isset($allTransitions[$fromStatus][$toStatus])) {
|
|
return false; // Transition not defined
|
|
}
|
|
|
|
$transition = $allTransitions[$fromStatus][$toStatus];
|
|
|
|
if ($transition['requires_admin'] && !$isAdmin) {
|
|
return false; // Admin required
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Get all possible statuses from transitions table
|
|
*
|
|
* @return array Array of unique status values
|
|
*/
|
|
public function getAllStatuses(): array {
|
|
return CacheHelper::remember(self::$CACHE_PREFIX, 'all_statuses', function() {
|
|
$sql = "SELECT DISTINCT from_status as status FROM status_transitions
|
|
UNION
|
|
SELECT DISTINCT to_status as status FROM status_transitions
|
|
ORDER BY status";
|
|
$result = $this->conn->query($sql);
|
|
|
|
if (!$result) {
|
|
return [];
|
|
}
|
|
|
|
$statuses = [];
|
|
while ($row = $result->fetch_assoc()) {
|
|
$statuses[] = $row['status'];
|
|
}
|
|
|
|
return $statuses;
|
|
}, self::$CACHE_TTL);
|
|
}
|
|
|
|
/**
|
|
* Get transition requirements
|
|
*
|
|
* @param string $fromStatus Current status
|
|
* @param string $toStatus Desired status
|
|
* @return array|null Transition requirements or null if not found
|
|
*/
|
|
public function getTransitionRequirements(string $fromStatus, string $toStatus): ?array {
|
|
$allTransitions = $this->getAllTransitions();
|
|
|
|
if (!isset($allTransitions[$fromStatus][$toStatus])) {
|
|
return null;
|
|
}
|
|
|
|
$transition = $allTransitions[$fromStatus][$toStatus];
|
|
return [
|
|
'requires_comment' => $transition['requires_comment'],
|
|
'requires_admin' => $transition['requires_admin']
|
|
];
|
|
}
|
|
|
|
/**
|
|
* Clear workflow cache (call when transitions are modified)
|
|
*/
|
|
public static function clearCache(): void {
|
|
CacheHelper::delete(self::$CACHE_PREFIX);
|
|
}
|
|
}
|