Jared Vititoe
89a685a502
Security fixes: - Add HTTP method validation to delete_comment.php (block CSRF via GET) - Remove $_GET fallback in comment deletion (was CSRF bypass vector) - Guard session_start() with session_status() check across API files - Escape json_encode() data attributes with htmlspecialchars in views - Escape inline APP_TIMEZONE config values in DashboardView/TicketView - Validate timezone param against DateTimeZone::listIdentifiers() in index.php - Remove Database::escape() (was using real_escape_string, not safe) - Fix AttachmentModel hardcoded connection; inject via constructor Backend fixes: - Fix CommentModel bind_param type for ticket_id (s→i) - Fix buildCommentThread orphan parent guard - Fix StatsModel JOIN→LEFT JOIN so unassigned tickets aren't excluded - Add ticket ID validation in BulkOperationsModel before implode() - Add duplicate key retry in TicketModel::createTicket() for race conditions - Wrap SavedFiltersModel default filter changes in transactions - Add null result guards in WorkflowModel query methods Frontend JS: - Rewrite toast.js as lt.toast shim (base.js dependency) - Delegate escapeHtml() to lt.escHtml() - Rewrite keyboard-shortcuts.js using lt.keys.on() - Migrate settings.js to lt.api.* and lt.modal.open/close() - Migrate advanced-search.js to lt.api.* and lt.modal.open/close() - Migrate dashboard.js fetch calls to lt.api.*; update all dynamic modals (bulk ops, quick actions, confirm/input) to lt-modal structure - Migrate ticket.js fetchMentionUsers to lt.api.get() - Remove console.log/error/warn calls from JS files Views: - Add /web_template/base.css and base.js to all 10 view files - Call lt.keys.initDefaults() in DashboardView, TicketView, admin views - Migrate all modal HTML from settings-modal/settings-content to lt-modal-overlay/lt-modal/lt-modal-header/lt-modal-body/lt-modal-footer - Replace style="display:none" with aria-hidden="true" on all modals - Replace modal open/close style.display with lt.modal.open/close() - Update modal buttons to lt-btn lt-btn-primary/lt-btn-ghost classes - Remove manual ESC keydown handlers (replaced by lt.keys.initDefaults) - Fix unescaped timezone values in TicketView inline script Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
225 lines
8.1 KiB
PHP
225 lines
8.1 KiB
PHP
<?php
|
|
// Enable error reporting for debugging
|
|
error_reporting(E_ALL);
|
|
ini_set('display_errors', 0); // Don't display errors in the response
|
|
|
|
// Apply rate limiting
|
|
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
|
|
RateLimitMiddleware::apply('api');
|
|
|
|
// Start output buffering to capture any errors
|
|
ob_start();
|
|
|
|
try {
|
|
// Load config
|
|
$configPath = dirname(__DIR__) . '/config/config.php';
|
|
require_once $configPath;
|
|
require_once dirname(__DIR__) . '/helpers/Database.php';
|
|
|
|
// Load models directly with absolute paths
|
|
$ticketModelPath = dirname(__DIR__) . '/models/TicketModel.php';
|
|
$commentModelPath = dirname(__DIR__) . '/models/CommentModel.php';
|
|
$auditLogModelPath = dirname(__DIR__) . '/models/AuditLogModel.php';
|
|
$workflowModelPath = dirname(__DIR__) . '/models/WorkflowModel.php';
|
|
|
|
require_once $ticketModelPath;
|
|
require_once $commentModelPath;
|
|
require_once $auditLogModelPath;
|
|
require_once $workflowModelPath;
|
|
|
|
// Check authentication via session
|
|
if (session_status() === PHP_SESSION_NONE) {
|
|
session_start();
|
|
}
|
|
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
|
|
throw new Exception("Authentication required");
|
|
}
|
|
|
|
// CSRF Protection
|
|
require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
|
|
if ($_SERVER['REQUEST_METHOD'] === 'POST' || $_SERVER['REQUEST_METHOD'] === 'PUT') {
|
|
$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
|
|
if (!CsrfMiddleware::validateToken($csrfToken)) {
|
|
http_response_code(403);
|
|
header('Content-Type: application/json');
|
|
echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
|
|
exit;
|
|
}
|
|
}
|
|
|
|
$currentUser = $_SESSION['user'];
|
|
$userId = $currentUser['user_id'];
|
|
$isAdmin = $currentUser['is_admin'] ?? false;
|
|
|
|
// Updated controller class that handles partial updates
|
|
class ApiTicketController {
|
|
private $ticketModel;
|
|
private $commentModel;
|
|
private $auditLog;
|
|
private $workflowModel;
|
|
private $userId;
|
|
private $isAdmin;
|
|
|
|
public function __construct($conn, $userId = null, $isAdmin = false) {
|
|
$this->ticketModel = new TicketModel($conn);
|
|
$this->commentModel = new CommentModel($conn);
|
|
$this->auditLog = new AuditLogModel($conn);
|
|
$this->workflowModel = new WorkflowModel($conn);
|
|
$this->userId = $userId;
|
|
$this->isAdmin = $isAdmin;
|
|
}
|
|
|
|
public function update($id, $data) {
|
|
// First, get the current ticket data to fill in missing fields
|
|
$currentTicket = $this->ticketModel->getTicketById($id);
|
|
if (!$currentTicket) {
|
|
return [
|
|
'success' => false,
|
|
'error' => 'Ticket not found'
|
|
];
|
|
}
|
|
|
|
// Merge current data with updates, keeping existing values for missing fields
|
|
$updateData = [
|
|
'ticket_id' => $id,
|
|
'title' => $data['title'] ?? $currentTicket['title'],
|
|
'description' => $data['description'] ?? $currentTicket['description'],
|
|
'category' => $data['category'] ?? $currentTicket['category'],
|
|
'type' => $data['type'] ?? $currentTicket['type'],
|
|
'status' => $data['status'] ?? $currentTicket['status'],
|
|
'priority' => isset($data['priority']) ? (int)$data['priority'] : (int)$currentTicket['priority']
|
|
];
|
|
|
|
// Validate required fields
|
|
if (empty($updateData['title'])) {
|
|
return [
|
|
'success' => false,
|
|
'error' => 'Title cannot be empty'
|
|
];
|
|
}
|
|
|
|
// Validate priority range
|
|
if ($updateData['priority'] < 1 || $updateData['priority'] > 5) {
|
|
return [
|
|
'success' => false,
|
|
'error' => 'Priority must be between 1 and 5'
|
|
];
|
|
}
|
|
|
|
// Validate status transition using workflow model
|
|
if ($currentTicket['status'] !== $updateData['status']) {
|
|
$allowed = $this->workflowModel->isTransitionAllowed(
|
|
$currentTicket['status'],
|
|
$updateData['status'],
|
|
$this->isAdmin
|
|
);
|
|
|
|
if (!$allowed) {
|
|
return [
|
|
'success' => false,
|
|
'error' => 'Status transition not allowed: ' . $currentTicket['status'] . ' → ' . $updateData['status']
|
|
];
|
|
}
|
|
}
|
|
|
|
// Update ticket with user tracking and optional optimistic locking
|
|
$expectedUpdatedAt = $data['expected_updated_at'] ?? null;
|
|
$result = $this->ticketModel->updateTicket($updateData, $this->userId, $expectedUpdatedAt);
|
|
|
|
// Handle conflict case
|
|
if (!$result['success']) {
|
|
$response = [
|
|
'success' => false,
|
|
'error' => $result['error'] ?? 'Failed to update ticket in database'
|
|
];
|
|
if (!empty($result['conflict'])) {
|
|
$response['conflict'] = true;
|
|
$response['current_updated_at'] = $result['current_updated_at'] ?? null;
|
|
}
|
|
return $response;
|
|
}
|
|
|
|
// Handle visibility update if provided
|
|
if (isset($data['visibility'])) {
|
|
$visibilityGroups = $data['visibility_groups'] ?? null;
|
|
// Convert array to comma-separated string if needed
|
|
if (is_array($visibilityGroups)) {
|
|
$visibilityGroups = implode(',', array_map('trim', $visibilityGroups));
|
|
}
|
|
|
|
// Validate internal visibility requires groups
|
|
if ($data['visibility'] === 'internal' && (empty($visibilityGroups) || trim($visibilityGroups) === '')) {
|
|
return [
|
|
'success' => false,
|
|
'error' => 'Internal visibility requires at least one group to be specified'
|
|
];
|
|
}
|
|
|
|
$this->ticketModel->updateVisibility($id, $data['visibility'], $visibilityGroups, $this->userId);
|
|
}
|
|
|
|
// Log ticket update to audit log
|
|
if ($this->userId) {
|
|
$this->auditLog->logTicketUpdate($this->userId, $id, $data);
|
|
}
|
|
|
|
return [
|
|
'success' => true,
|
|
'status' => $updateData['status'],
|
|
'priority' => $updateData['priority'],
|
|
'message' => 'Ticket updated successfully'
|
|
];
|
|
}
|
|
}
|
|
|
|
// Use centralized database connection
|
|
$conn = Database::getConnection();
|
|
|
|
// Check request method
|
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
|
throw new Exception("Method not allowed. Expected POST, got " . $_SERVER['REQUEST_METHOD']);
|
|
}
|
|
|
|
// Get POST data
|
|
$input = file_get_contents('php://input');
|
|
$data = json_decode($input, true);
|
|
|
|
if (!$data) {
|
|
throw new Exception("Invalid JSON data received: " . $input);
|
|
}
|
|
|
|
if (!isset($data['ticket_id'])) {
|
|
throw new Exception("Missing ticket_id parameter");
|
|
}
|
|
|
|
$ticketId = (int)$data['ticket_id'];
|
|
|
|
// Initialize controller
|
|
$controller = new ApiTicketController($conn, $userId, $isAdmin);
|
|
|
|
// Update ticket
|
|
$result = $controller->update($ticketId, $data);
|
|
|
|
// Discard any output that might have been generated
|
|
ob_end_clean();
|
|
|
|
// Return response
|
|
header('Content-Type: application/json');
|
|
echo json_encode($result);
|
|
|
|
} catch (Exception $e) {
|
|
// Discard any output that might have been generated
|
|
ob_end_clean();
|
|
|
|
// Log error details but don't expose to client
|
|
error_log("Update ticket API error: " . $e->getMessage());
|
|
|
|
// Return error response
|
|
header('Content-Type: application/json');
|
|
http_response_code(500);
|
|
echo json_encode([
|
|
'success' => false,
|
|
'error' => 'An internal error occurred'
|
|
]);
|
|
}
|
|
?>
|