jared f709e98bd3 Security: add authorization checks to ticket_dependencies API ...

- POST /ticket_dependencies: verify user can access both the source
  ticket and the target ticket before creating a dependency
- DELETE by ticket IDs: verify user can access source ticket; also
  validate dependency_type against the allowed whitelist
- DELETE by dependency_id: look up dependency's ticket before deletion
  and verify user can access it, preventing IDOR
- custom_fields.php: validate json_decode returns an array on POST/PUT;
  add http_response_code(400) to all error responses

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-29 18:26:01 -04:00

..

add_comment.php

Security/correctness: visibility filtering, Content-Type headers, group validation

2026-03-29 18:23:16 -04:00

assign_ticket.php

Fix loose comparisons, missing response codes, and session handling

2026-03-29 17:39:46 -04:00

audit_log.php

Fix CSS variables, missing utility classes, API hardening, and audit log UX

2026-03-28 13:22:12 -04:00

bootstrap.php

Apply web_template gap analysis improvements (P1-P3)

2026-03-29 17:02:40 -04:00

bulk_operation.php

Fix type safety and TDS class naming issues

2026-03-28 22:29:28 -04:00

check_duplicates.php

Fix visibility enforcement and register missing API routes

2026-03-20 21:39:02 -04:00

clone_ticket.php

Security/correctness: visibility filtering, Content-Type headers, group validation

2026-03-29 18:23:16 -04:00

custom_fields.php

Security: add authorization checks to ticket_dependencies API

2026-03-29 18:26:01 -04:00

delete_attachment.php

Fix bind_param type mismatches and integer validation

2026-03-28 22:33:48 -04:00

delete_comment.php

Security/correctness: visibility filtering, Content-Type headers, group validation

2026-03-29 18:23:16 -04:00

download_attachment.php

Fix bind_param type mismatches and integer validation

2026-03-28 22:33:48 -04:00

export_tickets.php

Fix loose comparisons, missing response codes, and session handling

2026-03-29 17:39:46 -04:00

generate_api_key.php

Fix error message disclosure in API endpoints

2026-01-30 18:56:29 -05:00

get_template.php

Fix bind_param type mismatches and integer validation

2026-03-28 22:33:48 -04:00

get_users.php

Audit fixes: security, dead code removal, API consolidation, JS dedup

2026-02-11 14:50:06 -05:00

health.php

Add performance, security, and reliability improvements

2026-01-30 14:39:13 -05:00

manage_recurring.php

Fix bind_param type mismatches and integer validation

2026-03-28 22:33:48 -04:00

manage_templates.php

Harden attachment deletion and template CRUD validation

2026-03-28 13:41:22 -04:00

manage_workflows.php

Fix bind_param type mismatches and integer validation

2026-03-28 22:33:48 -04:00

revoke_api_key.php

Fix error message disclosure in API endpoints

2026-01-30 18:56:29 -05:00

saved_filters.php

Audit fixes: security, dead code removal, API consolidation, JS dedup

2026-02-11 14:50:06 -05:00

ticket_dependencies.php

Security: add authorization checks to ticket_dependencies API

2026-03-29 18:26:01 -04:00

update_comment.php

Security/correctness: visibility filtering, Content-Type headers, group validation

2026-03-29 18:23:16 -04:00

update_ticket.php

Fix loose comparisons in authorization checks

2026-03-28 22:35:48 -04:00

upload_attachment.php

Fix file upload security, bind_param mismatch, and cookie flags

2026-03-29 18:14:18 -04:00

user_avatar.php

fix: ldap_get_entries returns raw binary, remove incorrect base64 decode

2026-03-28 20:53:49 -04:00

user_preferences.php

Fix file upload security, bind_param mismatch, and cookie flags

2026-03-29 18:14:18 -04:00