Jared Vititoe
ed9c2a39d1
Replace exception getMessage() exposure with generic error messages to prevent internal information disclosure. Errors are now logged with full details while clients receive sanitized responses. Affected endpoints: - add_comment, update_comment, delete_comment - update_ticket, export_tickets - generate_api_key, revoke_api_key - manage_templates, manage_workflows, manage_recurring - custom_fields, get_users Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
49 lines
1.4 KiB
PHP
49 lines
1.4 KiB
PHP
<?php
|
|
/**
|
|
* Get Users API
|
|
* Returns list of users for @mentions autocomplete
|
|
*/
|
|
|
|
ini_set('display_errors', 0);
|
|
error_reporting(E_ALL);
|
|
|
|
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
|
|
RateLimitMiddleware::apply('api');
|
|
|
|
try {
|
|
require_once dirname(__DIR__) . '/config/config.php';
|
|
require_once dirname(__DIR__) . '/helpers/Database.php';
|
|
|
|
// Check authentication (session already started by RateLimitMiddleware)
|
|
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
|
|
http_response_code(401);
|
|
echo json_encode(['success' => false, 'error' => 'Authentication required']);
|
|
exit;
|
|
}
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
// Get all users for mentions/assignment
|
|
$result = Database::query("SELECT user_id, username, display_name FROM users ORDER BY display_name, username");
|
|
|
|
if (!$result) {
|
|
throw new Exception("Failed to query users");
|
|
}
|
|
|
|
$users = [];
|
|
while ($row = $result->fetch_assoc()) {
|
|
$users[] = [
|
|
'user_id' => $row['user_id'],
|
|
'username' => $row['username'],
|
|
'display_name' => $row['display_name']
|
|
];
|
|
}
|
|
|
|
echo json_encode(['success' => true, 'users' => $users]);
|
|
|
|
} catch (Exception $e) {
|
|
error_log("Get users API error: " . $e->getMessage());
|
|
http_response_code(500);
|
|
echo json_encode(['success' => false, 'error' => 'An internal error occurred']);
|
|
}
|