Jared Vititoe
89a685a502
Security fixes: - Add HTTP method validation to delete_comment.php (block CSRF via GET) - Remove $_GET fallback in comment deletion (was CSRF bypass vector) - Guard session_start() with session_status() check across API files - Escape json_encode() data attributes with htmlspecialchars in views - Escape inline APP_TIMEZONE config values in DashboardView/TicketView - Validate timezone param against DateTimeZone::listIdentifiers() in index.php - Remove Database::escape() (was using real_escape_string, not safe) - Fix AttachmentModel hardcoded connection; inject via constructor Backend fixes: - Fix CommentModel bind_param type for ticket_id (s→i) - Fix buildCommentThread orphan parent guard - Fix StatsModel JOIN→LEFT JOIN so unassigned tickets aren't excluded - Add ticket ID validation in BulkOperationsModel before implode() - Add duplicate key retry in TicketModel::createTicket() for race conditions - Wrap SavedFiltersModel default filter changes in transactions - Add null result guards in WorkflowModel query methods Frontend JS: - Rewrite toast.js as lt.toast shim (base.js dependency) - Delegate escapeHtml() to lt.escHtml() - Rewrite keyboard-shortcuts.js using lt.keys.on() - Migrate settings.js to lt.api.* and lt.modal.open/close() - Migrate advanced-search.js to lt.api.* and lt.modal.open/close() - Migrate dashboard.js fetch calls to lt.api.*; update all dynamic modals (bulk ops, quick actions, confirm/input) to lt-modal structure - Migrate ticket.js fetchMentionUsers to lt.api.get() - Remove console.log/error/warn calls from JS files Views: - Add /web_template/base.css and base.js to all 10 view files - Call lt.keys.initDefaults() in DashboardView, TicketView, admin views - Migrate all modal HTML from settings-modal/settings-content to lt-modal-overlay/lt-modal/lt-modal-header/lt-modal-body/lt-modal-footer - Replace style="display:none" with aria-hidden="true" on all modals - Replace modal open/close style.display with lt.modal.open/close() - Update modal buttons to lt-btn lt-btn-primary/lt-btn-ghost classes - Remove manual ESC keydown handlers (replaced by lt.keys.initDefaults) - Fix unescaped timezone values in TicketView inline script Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
143 lines
4.7 KiB
PHP
143 lines
4.7 KiB
PHP
<?php
|
|
/**
|
|
* Download Attachment API
|
|
*
|
|
* Serves file downloads for ticket attachments
|
|
*/
|
|
|
|
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
|
|
RateLimitMiddleware::apply('api');
|
|
|
|
require_once dirname(__DIR__) . '/config/config.php';
|
|
require_once dirname(__DIR__) . '/helpers/Database.php';
|
|
require_once dirname(__DIR__) . '/models/AttachmentModel.php';
|
|
require_once dirname(__DIR__) . '/models/TicketModel.php';
|
|
|
|
// Check authentication
|
|
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
|
|
http_response_code(401);
|
|
header('Content-Type: application/json');
|
|
echo json_encode(['success' => false, 'error' => 'Authentication required']);
|
|
exit;
|
|
}
|
|
|
|
// Get attachment ID
|
|
$attachmentId = $_GET['id'] ?? null;
|
|
if (!$attachmentId || !is_numeric($attachmentId)) {
|
|
http_response_code(400);
|
|
header('Content-Type: application/json');
|
|
echo json_encode(['success' => false, 'error' => 'Valid attachment ID is required']);
|
|
exit;
|
|
}
|
|
|
|
$attachmentId = (int)$attachmentId;
|
|
|
|
try {
|
|
$attachmentModel = new AttachmentModel(Database::getConnection());
|
|
|
|
// Get attachment details
|
|
$attachment = $attachmentModel->getAttachment($attachmentId);
|
|
if (!$attachment) {
|
|
http_response_code(404);
|
|
header('Content-Type: application/json');
|
|
echo json_encode(['success' => false, 'error' => 'Attachment not found']);
|
|
exit;
|
|
}
|
|
|
|
// Verify the associated ticket exists and user has access
|
|
$conn = Database::getConnection();
|
|
|
|
$ticketModel = new TicketModel($conn);
|
|
$ticket = $ticketModel->getTicketById($attachment['ticket_id']);
|
|
|
|
if (!$ticket) {
|
|
http_response_code(404);
|
|
header('Content-Type: application/json');
|
|
echo json_encode(['success' => false, 'error' => 'Associated ticket not found']);
|
|
exit;
|
|
}
|
|
|
|
// Check if user has access to this ticket based on visibility settings
|
|
if (!$ticketModel->canUserAccessTicket($ticket, $_SESSION['user'])) {
|
|
http_response_code(403);
|
|
header('Content-Type: application/json');
|
|
echo json_encode(['success' => false, 'error' => 'Access denied to this ticket']);
|
|
exit;
|
|
}
|
|
|
|
$conn->close();
|
|
|
|
// Build file path
|
|
$uploadDir = $GLOBALS['config']['UPLOAD_DIR'] ?? dirname(__DIR__) . '/uploads';
|
|
$filePath = $uploadDir . '/' . $attachment['ticket_id'] . '/' . $attachment['filename'];
|
|
|
|
// Security: Verify the resolved path is within the uploads directory (prevent path traversal)
|
|
$realUploadDir = realpath($uploadDir);
|
|
$realFilePath = realpath($filePath);
|
|
|
|
if ($realFilePath === false || $realUploadDir === false || strpos($realFilePath, $realUploadDir) !== 0) {
|
|
http_response_code(403);
|
|
header('Content-Type: application/json');
|
|
echo json_encode(['success' => false, 'error' => 'Access denied']);
|
|
exit;
|
|
}
|
|
|
|
// Check if file exists
|
|
if (!file_exists($realFilePath)) {
|
|
http_response_code(404);
|
|
header('Content-Type: application/json');
|
|
echo json_encode(['success' => false, 'error' => 'File not found on server']);
|
|
exit;
|
|
}
|
|
|
|
// Use the validated real path
|
|
$filePath = $realFilePath;
|
|
|
|
// Determine if we should display inline or force download
|
|
$inline = isset($_GET['inline']) && $_GET['inline'] === '1';
|
|
$inlineTypes = ['image/jpeg', 'image/png', 'image/gif', 'image/webp', 'application/pdf', 'text/plain'];
|
|
|
|
// Set headers
|
|
$disposition = ($inline && in_array($attachment['mime_type'], $inlineTypes)) ? 'inline' : 'attachment';
|
|
|
|
// Sanitize filename for Content-Disposition
|
|
$safeFilename = preg_replace('/[^\w\s\-\.]/', '_', $attachment['original_filename']);
|
|
|
|
header('Content-Type: ' . $attachment['mime_type']);
|
|
header('Content-Disposition: ' . $disposition . '; filename="' . $safeFilename . '"');
|
|
header('Content-Length: ' . $attachment['file_size']);
|
|
header('Cache-Control: private, max-age=3600');
|
|
header('X-Content-Type-Options: nosniff');
|
|
|
|
// Prevent PHP from timing out on large files
|
|
set_time_limit(0);
|
|
|
|
// Clear output buffer
|
|
if (ob_get_level()) {
|
|
ob_end_clean();
|
|
}
|
|
|
|
// Stream file
|
|
$handle = fopen($filePath, 'rb');
|
|
if ($handle === false) {
|
|
http_response_code(500);
|
|
header('Content-Type: application/json');
|
|
echo json_encode(['success' => false, 'error' => 'Failed to open file']);
|
|
exit;
|
|
}
|
|
|
|
while (!feof($handle)) {
|
|
echo fread($handle, 8192);
|
|
flush();
|
|
}
|
|
|
|
fclose($handle);
|
|
exit;
|
|
|
|
} catch (Exception $e) {
|
|
http_response_code(500);
|
|
header('Content-Type: application/json');
|
|
echo json_encode(['success' => false, 'error' => 'Failed to download attachment']);
|
|
exit;
|
|
}
|