Jared Vititoe
27075a62ee
CSS fixes: - Fix [ ] brackets appearing below button text by replacing display:inline-flex with display:inline-block + white-space:nowrap on .btn — removes cross-browser flex pseudo-element inconsistency as root cause - Remove conflicting .btn::before ripple block (position:absolute was overriding bracket content positioning) - Remove overflow:hidden from .btn which was clipping bracket content - Fix body::after duplicate rule causing GPU layer blink (second position:fixed rule re-created compositor layer, overriding display:none suppression) - Replace all transition:all with scoped property transitions in dashboard.css, ticket.css, base.css (prevents full CSS property evaluation on every hover) - Convert pulse-warning/pulse-critical keyframes from box-shadow to opacity animation (GPU-composited, eliminates CPU repaints at 60fps) - Fix mobile *::before/*::after blanket content:none rule — now targets only decorative frame glyphs, preserving button brackets and status indicators - Remove --terminal-green-dim override that broke .lt-btn hover backgrounds JS fixes: - Fix all lt.lt.toast.* double-prefix instances in dashboard.js - Add null guard before .appendChild() on bulkAssignUser select - Replace all remaining emoji with terminal bracket notation (dashboard.js, ticket.js, markdown.js) - Migrate all toast.*() shim calls to lt.toast.* across all JS files View fixes: - Remove hardcoded [ ] brackets from .btn buttons (CSS now adds them) - Replace all emoji with terminal bracket notation in all views and admin views - Add missing CSP nonces to AuditLogView.php and UserActivityView.php script tags - Bump CSS version strings to ?v=20260319b for cache busting Security fixes: - update_ticket.php: add authorization check (non-admins can only edit their own or assigned tickets) - add_comment.php: validate and cast ticket_id to integer with 400 response - clone_ticket.php: fix unconditional session_start(), add ticket ID validation, add internal ticket access check - bulk_operation.php: add HTTP 401/403 status codes on auth failures - upload_attachment.php: fix missing $conn arg in AttachmentModel constructor - assign_ticket.php: add ticket existence check and permission verification Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
236 lines
8.5 KiB
PHP
236 lines
8.5 KiB
PHP
<?php
|
|
// Enable error reporting for debugging
|
|
error_reporting(E_ALL);
|
|
ini_set('display_errors', 0); // Don't display errors in the response
|
|
|
|
// Apply rate limiting
|
|
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
|
|
RateLimitMiddleware::apply('api');
|
|
|
|
// Start output buffering to capture any errors
|
|
ob_start();
|
|
|
|
try {
|
|
// Load config
|
|
$configPath = dirname(__DIR__) . '/config/config.php';
|
|
require_once $configPath;
|
|
require_once dirname(__DIR__) . '/helpers/Database.php';
|
|
|
|
// Load models directly with absolute paths
|
|
$ticketModelPath = dirname(__DIR__) . '/models/TicketModel.php';
|
|
$commentModelPath = dirname(__DIR__) . '/models/CommentModel.php';
|
|
$auditLogModelPath = dirname(__DIR__) . '/models/AuditLogModel.php';
|
|
$workflowModelPath = dirname(__DIR__) . '/models/WorkflowModel.php';
|
|
|
|
require_once $ticketModelPath;
|
|
require_once $commentModelPath;
|
|
require_once $auditLogModelPath;
|
|
require_once $workflowModelPath;
|
|
|
|
// Check authentication via session
|
|
if (session_status() === PHP_SESSION_NONE) {
|
|
session_start();
|
|
}
|
|
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
|
|
throw new Exception("Authentication required");
|
|
}
|
|
|
|
// CSRF Protection
|
|
require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
|
|
if ($_SERVER['REQUEST_METHOD'] === 'POST' || $_SERVER['REQUEST_METHOD'] === 'PUT') {
|
|
$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
|
|
if (!CsrfMiddleware::validateToken($csrfToken)) {
|
|
http_response_code(403);
|
|
header('Content-Type: application/json');
|
|
echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
|
|
exit;
|
|
}
|
|
}
|
|
|
|
$currentUser = $_SESSION['user'];
|
|
$userId = $currentUser['user_id'];
|
|
$isAdmin = $currentUser['is_admin'] ?? false;
|
|
|
|
// Updated controller class that handles partial updates
|
|
class ApiTicketController {
|
|
private $ticketModel;
|
|
private $commentModel;
|
|
private $auditLog;
|
|
private $workflowModel;
|
|
private $userId;
|
|
private $isAdmin;
|
|
|
|
public function __construct($conn, $userId = null, $isAdmin = false) {
|
|
$this->ticketModel = new TicketModel($conn);
|
|
$this->commentModel = new CommentModel($conn);
|
|
$this->auditLog = new AuditLogModel($conn);
|
|
$this->workflowModel = new WorkflowModel($conn);
|
|
$this->userId = $userId;
|
|
$this->isAdmin = $isAdmin;
|
|
}
|
|
|
|
public function update($id, $data) {
|
|
// First, get the current ticket data to fill in missing fields
|
|
$currentTicket = $this->ticketModel->getTicketById($id);
|
|
if (!$currentTicket) {
|
|
return [
|
|
'success' => false,
|
|
'error' => 'Ticket not found'
|
|
];
|
|
}
|
|
|
|
// Authorization: admins can edit any ticket; others only their own or assigned
|
|
if (!$this->isAdmin
|
|
&& $currentTicket['created_by'] != $this->userId
|
|
&& $currentTicket['assigned_to'] != $this->userId
|
|
) {
|
|
return [
|
|
'success' => false,
|
|
'error' => 'Permission denied'
|
|
];
|
|
}
|
|
|
|
// Merge current data with updates, keeping existing values for missing fields
|
|
$updateData = [
|
|
'ticket_id' => $id,
|
|
'title' => $data['title'] ?? $currentTicket['title'],
|
|
'description' => $data['description'] ?? $currentTicket['description'],
|
|
'category' => $data['category'] ?? $currentTicket['category'],
|
|
'type' => $data['type'] ?? $currentTicket['type'],
|
|
'status' => $data['status'] ?? $currentTicket['status'],
|
|
'priority' => isset($data['priority']) ? (int)$data['priority'] : (int)$currentTicket['priority']
|
|
];
|
|
|
|
// Validate required fields
|
|
if (empty($updateData['title'])) {
|
|
return [
|
|
'success' => false,
|
|
'error' => 'Title cannot be empty'
|
|
];
|
|
}
|
|
|
|
// Validate priority range
|
|
if ($updateData['priority'] < 1 || $updateData['priority'] > 5) {
|
|
return [
|
|
'success' => false,
|
|
'error' => 'Priority must be between 1 and 5'
|
|
];
|
|
}
|
|
|
|
// Validate status transition using workflow model
|
|
if ($currentTicket['status'] !== $updateData['status']) {
|
|
$allowed = $this->workflowModel->isTransitionAllowed(
|
|
$currentTicket['status'],
|
|
$updateData['status'],
|
|
$this->isAdmin
|
|
);
|
|
|
|
if (!$allowed) {
|
|
return [
|
|
'success' => false,
|
|
'error' => 'Status transition not allowed: ' . $currentTicket['status'] . ' → ' . $updateData['status']
|
|
];
|
|
}
|
|
}
|
|
|
|
// Update ticket with user tracking and optional optimistic locking
|
|
$expectedUpdatedAt = $data['expected_updated_at'] ?? null;
|
|
$result = $this->ticketModel->updateTicket($updateData, $this->userId, $expectedUpdatedAt);
|
|
|
|
// Handle conflict case
|
|
if (!$result['success']) {
|
|
$response = [
|
|
'success' => false,
|
|
'error' => $result['error'] ?? 'Failed to update ticket in database'
|
|
];
|
|
if (!empty($result['conflict'])) {
|
|
$response['conflict'] = true;
|
|
$response['current_updated_at'] = $result['current_updated_at'] ?? null;
|
|
}
|
|
return $response;
|
|
}
|
|
|
|
// Handle visibility update if provided
|
|
if (isset($data['visibility'])) {
|
|
$visibilityGroups = $data['visibility_groups'] ?? null;
|
|
// Convert array to comma-separated string if needed
|
|
if (is_array($visibilityGroups)) {
|
|
$visibilityGroups = implode(',', array_map('trim', $visibilityGroups));
|
|
}
|
|
|
|
// Validate internal visibility requires groups
|
|
if ($data['visibility'] === 'internal' && (empty($visibilityGroups) || trim($visibilityGroups) === '')) {
|
|
return [
|
|
'success' => false,
|
|
'error' => 'Internal visibility requires at least one group to be specified'
|
|
];
|
|
}
|
|
|
|
$this->ticketModel->updateVisibility($id, $data['visibility'], $visibilityGroups, $this->userId);
|
|
}
|
|
|
|
// Log ticket update to audit log
|
|
if ($this->userId) {
|
|
$this->auditLog->logTicketUpdate($this->userId, $id, $data);
|
|
}
|
|
|
|
return [
|
|
'success' => true,
|
|
'status' => $updateData['status'],
|
|
'priority' => $updateData['priority'],
|
|
'message' => 'Ticket updated successfully'
|
|
];
|
|
}
|
|
}
|
|
|
|
// Use centralized database connection
|
|
$conn = Database::getConnection();
|
|
|
|
// Check request method
|
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
|
throw new Exception("Method not allowed. Expected POST, got " . $_SERVER['REQUEST_METHOD']);
|
|
}
|
|
|
|
// Get POST data
|
|
$input = file_get_contents('php://input');
|
|
$data = json_decode($input, true);
|
|
|
|
if (!$data) {
|
|
throw new Exception("Invalid JSON data received: " . $input);
|
|
}
|
|
|
|
if (!isset($data['ticket_id'])) {
|
|
throw new Exception("Missing ticket_id parameter");
|
|
}
|
|
|
|
$ticketId = (int)$data['ticket_id'];
|
|
|
|
// Initialize controller
|
|
$controller = new ApiTicketController($conn, $userId, $isAdmin);
|
|
|
|
// Update ticket
|
|
$result = $controller->update($ticketId, $data);
|
|
|
|
// Discard any output that might have been generated
|
|
ob_end_clean();
|
|
|
|
// Return response
|
|
header('Content-Type: application/json');
|
|
echo json_encode($result);
|
|
|
|
} catch (Exception $e) {
|
|
// Discard any output that might have been generated
|
|
ob_end_clean();
|
|
|
|
// Log error details but don't expose to client
|
|
error_log("Update ticket API error: " . $e->getMessage());
|
|
|
|
// Return error response
|
|
header('Content-Type: application/json');
|
|
http_response_code(500);
|
|
echo json_encode([
|
|
'success' => false,
|
|
'error' => 'An internal error occurred'
|
|
]);
|
|
}
|
|
?>
|