jared 55c2d5c596 Fix visibility bypass in export and insecure cookie in preferences ...

api/export_tickets.php: getAllTickets() was called without $currentUser,
so visibility filtering was skipped — any authenticated user could export
all tickets including confidential/internal ones.

api/user_preferences.php: the single-preference setcookie() call was
missing httponly/secure flags (batch path had them correctly). Also cast
preference values to string before passing to setPreference(string).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-11 14:29:09 -04:00

..

add_comment.php

Fix leading-zero ticket ID handling across API and UI

2026-04-11 12:43:18 -04:00

assign_ticket.php

Fix ticket ID handling in assign and delete_attachment APIs

2026-04-11 13:31:10 -04:00

audit_log.php

Fix CSS variables, missing utility classes, API hardening, and audit log UX

2026-03-28 13:22:12 -04:00

bootstrap.php

Apply web_template gap analysis improvements (P1-P3)

2026-03-29 17:02:40 -04:00

bulk_operation.php

Implement bulk_delete operation; validate operation types

2026-04-11 12:53:53 -04:00

check_duplicates.php

Fix visibility enforcement and register missing API routes

2026-03-20 21:39:02 -04:00

clone_ticket.php

Fix leading-zero ticket ID in clone_ticket.php

2026-04-11 13:02:49 -04:00

custom_fields.php

Fix session_start guards, add missing API routes, rewrite README

2026-04-05 17:52:07 -04:00

delete_attachment.php

Fix ticket ID handling in assign and delete_attachment APIs

2026-04-11 13:31:10 -04:00

delete_comment.php

Security/correctness: visibility filtering, Content-Type headers, group validation

2026-03-29 18:23:16 -04:00

download_attachment.php

Fix path traversal, closed-connection, and ticket ID validation bugs

2026-04-05 17:57:36 -04:00

export_tickets.php

Fix visibility bypass in export and insecure cookie in preferences

2026-04-11 14:29:09 -04:00

generate_api_key.php

Fix session_start guards, add missing API routes, rewrite README

2026-04-05 17:52:07 -04:00

get_comments.php

feat: comment pagination, Matrix integration, Synapse mention resolution

2026-03-29 21:34:16 -04:00

get_template.php

Fix session_start guards, add missing API routes, rewrite README

2026-04-05 17:52:07 -04:00

get_users.php

Audit fixes: security, dead code removal, API consolidation, JS dedup

2026-02-11 14:50:06 -05:00

health.php

Add performance, security, and reliability improvements

2026-01-30 14:39:13 -05:00

manage_recurring.php

Fix recurring ticket schedule edge cases in API and model

2026-04-05 18:16:41 -04:00

manage_templates.php

Fix session_start guards, add missing API routes, rewrite README

2026-04-05 17:52:07 -04:00

manage_workflows.php

Add comment skeleton loaders, workflow validation, monthly schedule fix

2026-04-05 18:09:53 -04:00

notifications.php

Fix notifications not detecting comment events

2026-04-11 13:45:04 -04:00

revoke_api_key.php

Fix session_start guards, add missing API routes, rewrite README

2026-04-05 17:52:07 -04:00

saved_filters.php

fix: CSRF token staleness causing intermittent 403 on POST actions

2026-03-30 19:01:18 -04:00

ticket_dependencies.php

Security: add authorization checks to ticket_dependencies API

2026-03-29 18:26:01 -04:00

update_comment.php

Security/correctness: visibility filtering, Content-Type headers, group validation

2026-03-29 18:23:16 -04:00

update_ticket.php

Fix leading-zero ticket ID handling across API and UI

2026-04-11 12:43:18 -04:00

upload_attachment.php

Fix path traversal, closed-connection, and ticket ID validation bugs

2026-04-05 17:57:36 -04:00

user_avatar.php

fix: ldap_get_entries returns raw binary, remove incorrect base64 decode

2026-03-28 20:53:49 -04:00

user_preferences.php

Fix visibility bypass in export and insecure cookie in preferences

2026-04-11 14:29:09 -04:00

watch_ticket.php

fix: watcher avatars, dependency TDS styling, asset versions, nav dropdown light theme

2026-04-04 12:02:30 -04:00