Jared Vititoe
fa9d9dfe0f
- Add CSRF validation to update_ticket.php - Add CSRF validation to add_comment.php - Add CSRF validation to bulk_operation.php - All POST/PUT requests now require valid CSRF token Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
103 lines
3.0 KiB
PHP
103 lines
3.0 KiB
PHP
<?php
|
|
// Disable error display in the output
|
|
ini_set('display_errors', 0);
|
|
error_reporting(E_ALL);
|
|
|
|
// Start output buffering to capture any errors
|
|
ob_start();
|
|
|
|
try {
|
|
// Include required files with proper error handling
|
|
$configPath = dirname(__DIR__) . '/config/config.php';
|
|
$commentModelPath = dirname(__DIR__) . '/models/CommentModel.php';
|
|
$auditLogModelPath = dirname(__DIR__) . '/models/AuditLogModel.php';
|
|
|
|
if (!file_exists($configPath)) {
|
|
throw new Exception("Config file not found: $configPath");
|
|
}
|
|
|
|
if (!file_exists($commentModelPath)) {
|
|
throw new Exception("CommentModel file not found: $commentModelPath");
|
|
}
|
|
|
|
require_once $configPath;
|
|
require_once $commentModelPath;
|
|
require_once $auditLogModelPath;
|
|
|
|
// Check authentication via session
|
|
session_start();
|
|
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
|
|
throw new Exception("Authentication required");
|
|
}
|
|
|
|
// CSRF Protection
|
|
require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
|
|
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
|
$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
|
|
if (!CsrfMiddleware::validateToken($csrfToken)) {
|
|
http_response_code(403);
|
|
header('Content-Type: application/json');
|
|
echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
|
|
exit;
|
|
}
|
|
}
|
|
|
|
$currentUser = $_SESSION['user'];
|
|
$userId = $currentUser['user_id'];
|
|
|
|
// Create database connection
|
|
$conn = new mysqli(
|
|
$GLOBALS['config']['DB_HOST'],
|
|
$GLOBALS['config']['DB_USER'],
|
|
$GLOBALS['config']['DB_PASS'],
|
|
$GLOBALS['config']['DB_NAME']
|
|
);
|
|
|
|
if ($conn->connect_error) {
|
|
throw new Exception("Database connection failed: " . $conn->connect_error);
|
|
}
|
|
|
|
// Get POST data
|
|
$data = json_decode(file_get_contents('php://input'), true);
|
|
|
|
if (!$data) {
|
|
throw new Exception("Invalid JSON data received");
|
|
}
|
|
|
|
$ticketId = $data['ticket_id'];
|
|
|
|
// Initialize models
|
|
$commentModel = new CommentModel($conn);
|
|
$auditLog = new AuditLogModel($conn);
|
|
|
|
// Add comment with user tracking
|
|
$result = $commentModel->addComment($ticketId, $data, $userId);
|
|
|
|
// Log comment creation to audit log
|
|
if ($result['success'] && isset($result['comment_id'])) {
|
|
$auditLog->logCommentCreate($userId, $result['comment_id'], $ticketId);
|
|
}
|
|
|
|
// Add user display name to result for frontend
|
|
if ($result['success']) {
|
|
$result['user_name'] = $currentUser['display_name'] ?? $currentUser['username'];
|
|
}
|
|
|
|
// Discard any unexpected output
|
|
ob_end_clean();
|
|
|
|
// Return JSON response
|
|
header('Content-Type: application/json');
|
|
echo json_encode($result);
|
|
|
|
} catch (Exception $e) {
|
|
// Discard any unexpected output
|
|
ob_end_clean();
|
|
|
|
// Return error response
|
|
header('Content-Type: application/json');
|
|
echo json_encode([
|
|
'success' => false,
|
|
'error' => $e->getMessage()
|
|
]);
|
|
} |