65 lines
1.7 KiB
PHP
65 lines
1.7 KiB
PHP
<?php
|
|
require_once __DIR__ . '/../auth.php';
|
|
$user = requireAuth();
|
|
|
|
$input = json_decode(file_get_contents('php://input'), true);
|
|
if (!$input) {
|
|
// Fallback to traditional POST
|
|
$input = $_POST;
|
|
}
|
|
|
|
$ticketId = $input['ticket_id'] ?? null;
|
|
$status = $input['status'] ?? null;
|
|
$priority = $input['priority'] ?? null;
|
|
$helperId = $input['helper_id'] ?? null;
|
|
|
|
if (!$ticketId) {
|
|
echo json_encode(['error' => 'Missing ticket_id']);
|
|
exit;
|
|
}
|
|
|
|
// Fetch ticket
|
|
$stmt = db()->prepare("SELECT * FROM tickets WHERE id = ?");
|
|
$stmt->execute([$ticketId]);
|
|
$ticket = $stmt->fetch();
|
|
|
|
if (!$ticket) {
|
|
echo json_encode(['error' => 'Ticket not found']);
|
|
exit;
|
|
}
|
|
|
|
// Check access
|
|
if ($user['role'] === 'user' && $ticket['user_id'] != $user['id']) {
|
|
echo json_encode(['error' => 'Access denied']);
|
|
exit;
|
|
}
|
|
|
|
// For users, only closing is allowed
|
|
if ($user['role'] === 'user') {
|
|
if ($status === 'closed') {
|
|
$stmt = db()->prepare("UPDATE tickets SET status = 'closed' WHERE id = ?");
|
|
$stmt->execute([$ticketId]);
|
|
echo json_encode(['success' => true]);
|
|
} else {
|
|
echo json_encode(['error' => 'Only closing is allowed for users']);
|
|
}
|
|
exit;
|
|
}
|
|
|
|
// For helpers and curators, allow everything
|
|
if ($status) {
|
|
$stmt = db()->prepare("UPDATE tickets SET status = ? WHERE id = ?");
|
|
$stmt->execute([$status, $ticketId]);
|
|
}
|
|
|
|
if ($priority) {
|
|
$stmt = db()->prepare("UPDATE tickets SET priority = ? WHERE id = ?");
|
|
$stmt->execute([$priority, $ticketId]);
|
|
}
|
|
|
|
if ($helperId !== null && $user['role'] === 'curator') {
|
|
$stmt = db()->prepare("UPDATE tickets SET helper_id = ? WHERE id = ?");
|
|
$stmt->execute([$helperId == 0 ? null : $helperId, $ticketId]);
|
|
}
|
|
|
|
echo json_encode(['success' => true]); |