Jared Vititoe
e7d01ef576
Returning 403 Forbidden leaks the existence of tickets to users who should not know about them. Use 404 Not Found consistently across all access-controlled endpoints to prevent enumeration. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
200 lines
7.7 KiB
PHP
200 lines
7.7 KiB
PHP
<?php
|
|
// Use absolute paths for model includes
|
|
require_once dirname(__DIR__) . '/models/TicketModel.php';
|
|
require_once dirname(__DIR__) . '/models/CommentModel.php';
|
|
require_once dirname(__DIR__) . '/models/AuditLogModel.php';
|
|
require_once dirname(__DIR__) . '/models/UserModel.php';
|
|
require_once dirname(__DIR__) . '/models/WorkflowModel.php';
|
|
require_once dirname(__DIR__) . '/models/TemplateModel.php';
|
|
require_once dirname(__DIR__) . '/helpers/UrlHelper.php';
|
|
require_once dirname(__DIR__) . '/helpers/NotificationHelper.php';
|
|
|
|
class TicketController {
|
|
private $ticketModel;
|
|
private $commentModel;
|
|
private $auditLogModel;
|
|
private $userModel;
|
|
private $workflowModel;
|
|
private $templateModel;
|
|
private $conn;
|
|
|
|
public function __construct($conn) {
|
|
$this->conn = $conn;
|
|
$this->ticketModel = new TicketModel($conn);
|
|
$this->commentModel = new CommentModel($conn);
|
|
$this->auditLogModel = new AuditLogModel($conn);
|
|
$this->userModel = new UserModel($conn);
|
|
$this->workflowModel = new WorkflowModel($conn);
|
|
$this->templateModel = new TemplateModel($conn);
|
|
}
|
|
|
|
public function view($id) {
|
|
// Get current user
|
|
$currentUser = $GLOBALS['currentUser'] ?? null;
|
|
$userId = $currentUser['user_id'] ?? null;
|
|
|
|
// Get ticket data
|
|
$ticket = $this->ticketModel->getTicketById($id);
|
|
|
|
if (!$ticket) {
|
|
header("HTTP/1.0 404 Not Found");
|
|
echo "Ticket not found";
|
|
return;
|
|
}
|
|
|
|
// Check visibility access — return 404 rather than 403 to avoid leaking ticket existence
|
|
if (!$this->ticketModel->canUserAccessTicket($ticket, $currentUser)) {
|
|
header("HTTP/1.0 404 Not Found");
|
|
echo "Ticket not found";
|
|
return;
|
|
}
|
|
|
|
// Get comments for this ticket using CommentModel
|
|
$comments = $this->commentModel->getCommentsByTicketId($id);
|
|
|
|
// Get timeline for this ticket
|
|
$timeline = $this->auditLogModel->getTicketTimeline($id);
|
|
|
|
// Get all users for assignment dropdown
|
|
$allUsers = $this->userModel->getAllUsers();
|
|
|
|
// Get allowed status transitions for this ticket
|
|
$allowedTransitions = $this->workflowModel->getAllowedTransitions($ticket['status']);
|
|
|
|
// Make $conn available to view for visibility groups
|
|
$conn = $this->conn;
|
|
|
|
// Load the view
|
|
include dirname(__DIR__) . '/views/TicketView.php';
|
|
}
|
|
|
|
public function create() {
|
|
// Get current user
|
|
$currentUser = $GLOBALS['currentUser'] ?? null;
|
|
$userId = $currentUser['user_id'] ?? null;
|
|
|
|
// Check if form was submitted
|
|
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
|
// Handle visibility groups (comes as array from checkboxes)
|
|
$visibilityGroups = null;
|
|
if (isset($_POST['visibility_groups']) && is_array($_POST['visibility_groups'])) {
|
|
$visibilityGroups = implode(',', array_map('trim', $_POST['visibility_groups']));
|
|
}
|
|
|
|
$ticketData = [
|
|
'title' => $_POST['title'] ?? '',
|
|
'description' => $_POST['description'] ?? '',
|
|
'priority' => $_POST['priority'] ?? '4',
|
|
'category' => $_POST['category'] ?? 'General',
|
|
'type' => $_POST['type'] ?? 'Issue',
|
|
'visibility' => $_POST['visibility'] ?? 'public',
|
|
'visibility_groups' => $visibilityGroups,
|
|
'assigned_to' => !empty($_POST['assigned_to']) ? $_POST['assigned_to'] : null
|
|
];
|
|
|
|
// Validate input
|
|
if (empty($ticketData['title'])) {
|
|
$error = "Title is required";
|
|
$templates = $this->templateModel->getAllTemplates();
|
|
$allUsers = $this->userModel->getAllUsers();
|
|
$conn = $this->conn; // Make $conn available to view
|
|
include dirname(__DIR__) . '/views/CreateTicketView.php';
|
|
return;
|
|
}
|
|
|
|
// Create ticket with user tracking
|
|
$result = $this->ticketModel->createTicket($ticketData, $userId);
|
|
|
|
if ($result['success']) {
|
|
// Log ticket creation to audit log
|
|
if (isset($GLOBALS['auditLog']) && $userId) {
|
|
$GLOBALS['auditLog']->logTicketCreate($userId, $result['ticket_id'], $ticketData);
|
|
}
|
|
|
|
// Send Matrix notification for new ticket
|
|
NotificationHelper::sendTicketNotification($result['ticket_id'], $ticketData, 'manual');
|
|
|
|
// Redirect to the new ticket
|
|
header("Location: " . $GLOBALS['config']['BASE_URL'] . "/ticket/" . $result['ticket_id']);
|
|
exit;
|
|
} else {
|
|
$error = $result['error'];
|
|
$templates = $this->templateModel->getAllTemplates();
|
|
$allUsers = $this->userModel->getAllUsers();
|
|
$conn = $this->conn; // Make $conn available to view
|
|
include dirname(__DIR__) . '/views/CreateTicketView.php';
|
|
return;
|
|
}
|
|
} else {
|
|
// Get all templates for the template selector
|
|
$templates = $this->templateModel->getAllTemplates();
|
|
// Get all users for assignment dropdown
|
|
$allUsers = $this->userModel->getAllUsers();
|
|
$conn = $this->conn; // Make $conn available to view
|
|
|
|
// Display the create ticket form
|
|
include dirname(__DIR__) . '/views/CreateTicketView.php';
|
|
}
|
|
}
|
|
|
|
public function update($id) {
|
|
// Get current user
|
|
$currentUser = $GLOBALS['currentUser'] ?? null;
|
|
$userId = $currentUser['user_id'] ?? null;
|
|
|
|
// Check if this is an AJAX request
|
|
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
|
// For AJAX requests, get JSON data
|
|
$input = file_get_contents('php://input');
|
|
$data = json_decode($input, true);
|
|
|
|
// Add ticket_id to the data
|
|
$data['ticket_id'] = $id;
|
|
|
|
// Validate input data
|
|
if (empty($data['title'])) {
|
|
header('Content-Type: application/json');
|
|
echo json_encode([
|
|
'success' => false,
|
|
'error' => 'Title cannot be empty'
|
|
]);
|
|
return;
|
|
}
|
|
|
|
// Update ticket with user tracking
|
|
// Pass expected_updated_at for optimistic locking if provided
|
|
$expectedUpdatedAt = $data['expected_updated_at'] ?? null;
|
|
$result = $this->ticketModel->updateTicket($data, $userId, $expectedUpdatedAt);
|
|
|
|
// Log ticket update to audit log
|
|
if ($result['success'] && isset($GLOBALS['auditLog']) && $userId) {
|
|
$GLOBALS['auditLog']->logTicketUpdate($userId, $id, $data);
|
|
}
|
|
|
|
// Return JSON response
|
|
header('Content-Type: application/json');
|
|
if ($result['success']) {
|
|
echo json_encode([
|
|
'success' => true,
|
|
'status' => $data['status']
|
|
]);
|
|
} else {
|
|
$response = [
|
|
'success' => false,
|
|
'error' => $result['error'] ?? 'Failed to update ticket'
|
|
];
|
|
if (!empty($result['conflict'])) {
|
|
$response['conflict'] = true;
|
|
$response['current_updated_at'] = $result['current_updated_at'] ?? null;
|
|
}
|
|
echo json_encode($response);
|
|
}
|
|
} else {
|
|
// For direct access, redirect to view
|
|
header("Location: " . $GLOBALS['config']['BASE_URL'] . "/ticket/$id");
|
|
exit;
|
|
}
|
|
}
|
|
|
|
}
|
|
?>
|