jared
47b70b0ee8
assign_ticket.php: preserve string ticket ID (ctype_digit validation) instead of (int) cast for consistent audit logging and URL generation. delete_attachment.php: use string ticket_id from DB for the upload directory path — (int) cast was stripping leading zeros, causing the wrong path (/uploads/123456/) instead of /uploads/000123456/. Also pass raw string to getTicketById() to let TicketModel handle type coercion. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
121 lines
4.1 KiB
PHP
121 lines
4.1 KiB
PHP
<?php
|
|
/**
|
|
* Delete Attachment API
|
|
*
|
|
* Handles deletion of ticket attachments
|
|
*/
|
|
|
|
// Capture errors for debugging
|
|
ini_set('display_errors', 0);
|
|
error_reporting(E_ALL);
|
|
|
|
// Apply rate limiting (also starts session)
|
|
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
|
|
RateLimitMiddleware::apply('api');
|
|
|
|
// Ensure session is started
|
|
if (session_status() === PHP_SESSION_NONE) {
|
|
session_start();
|
|
}
|
|
|
|
require_once dirname(__DIR__) . '/config/config.php';
|
|
require_once dirname(__DIR__) . '/helpers/Database.php';
|
|
require_once dirname(__DIR__) . '/helpers/ResponseHelper.php';
|
|
require_once dirname(__DIR__) . '/models/AttachmentModel.php';
|
|
require_once dirname(__DIR__) . '/models/AuditLogModel.php';
|
|
require_once dirname(__DIR__) . '/models/TicketModel.php';
|
|
require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
// Check authentication
|
|
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
|
|
ResponseHelper::unauthorized();
|
|
}
|
|
|
|
// Only accept DELETE or POST requests
|
|
if (!in_array($_SERVER['REQUEST_METHOD'], ['DELETE', 'POST'])) {
|
|
ResponseHelper::error('Method not allowed', 405);
|
|
}
|
|
|
|
// Get request body
|
|
$input = json_decode(file_get_contents('php://input'), true);
|
|
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
|
$input = array_merge($_POST, $input ?? []);
|
|
}
|
|
|
|
// Verify CSRF token
|
|
$csrfToken = $input['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
|
|
if (!CsrfMiddleware::validateToken($csrfToken)) {
|
|
ResponseHelper::forbidden('Invalid CSRF token');
|
|
}
|
|
|
|
// Get attachment ID
|
|
$attachmentId = isset($input['attachment_id']) ? (int)$input['attachment_id'] : 0;
|
|
if ($attachmentId <= 0 || (string)$attachmentId !== (string)($input['attachment_id'] ?? '')) {
|
|
ResponseHelper::error('Valid attachment ID is required');
|
|
}
|
|
|
|
try {
|
|
$attachmentModel = new AttachmentModel(Database::getConnection());
|
|
|
|
// Get attachment details
|
|
$attachment = $attachmentModel->getAttachment($attachmentId);
|
|
if (!$attachment) {
|
|
ResponseHelper::notFound('Attachment not found');
|
|
}
|
|
|
|
// Verify user can access the parent ticket
|
|
$ticketModel = new TicketModel(Database::getConnection());
|
|
$ticket = $ticketModel->getTicketById($attachment['ticket_id']);
|
|
if (!$ticket || !$ticketModel->canUserAccessTicket($ticket, $_SESSION['user'])) {
|
|
ResponseHelper::notFound('Attachment not found');
|
|
}
|
|
|
|
// Check permission (must be uploader or admin)
|
|
$isAdmin = $_SESSION['user']['is_admin'] ?? false;
|
|
if (!$attachmentModel->canUserDelete($attachmentId, $_SESSION['user']['user_id'], $isAdmin)) {
|
|
ResponseHelper::forbidden('You do not have permission to delete this attachment');
|
|
}
|
|
|
|
// Delete the file — use realpath() to prevent path traversal
|
|
$uploadDir = realpath($GLOBALS['config']['UPLOAD_DIR'] ?? dirname(__DIR__) . '/uploads');
|
|
$filePath = $uploadDir . '/' . $attachment['ticket_id'] . '/' . $attachment['filename'];
|
|
$realPath = realpath($filePath);
|
|
|
|
if ($realPath !== false) {
|
|
// Ensure the resolved path is still inside the upload directory
|
|
if (strncmp($realPath, $uploadDir . DIRECTORY_SEPARATOR, strlen($uploadDir) + 1) !== 0) {
|
|
ResponseHelper::forbidden('Access denied');
|
|
}
|
|
if (!unlink($realPath)) {
|
|
ResponseHelper::serverError('Failed to delete file');
|
|
}
|
|
}
|
|
|
|
// Delete from database
|
|
if (!$attachmentModel->deleteAttachment($attachmentId)) {
|
|
ResponseHelper::serverError('Failed to delete attachment record');
|
|
}
|
|
|
|
// Log the deletion
|
|
$conn = Database::getConnection();
|
|
$auditLog = new AuditLogModel($conn);
|
|
$auditLog->log(
|
|
$_SESSION['user']['user_id'],
|
|
'attachment_delete',
|
|
'ticket_attachments',
|
|
(string)$attachmentId,
|
|
[
|
|
'ticket_id' => $attachment['ticket_id'],
|
|
'filename' => $attachment['original_filename'],
|
|
'size' => $attachment['file_size']
|
|
]
|
|
);
|
|
|
|
ResponseHelper::success([], 'Attachment deleted successfully');
|
|
|
|
} catch (Exception $e) {
|
|
ResponseHelper::serverError('Failed to delete attachment');
|
|
}
|