tp_servicedesk/app/controllers/CommentController.php

<?php

class CommentController {

    use CheckCSRF;

    /**
     * Add a new comment to a ticket.
     * Expects POST data: comment (text)
     * Route: POST /ticket/@id/comment
     */
    public function create($f3){
        // check logged in
        if(!$f3->exists('SESSION.user')){
            $f3->reroute('/login');
        }

        $this->checkCSRF($f3, '/ticket/' . $f3->get('PARAMS.id'));

        $ticket_id = (int) $f3->get('PARAMS.id');
        $comment_text = $f3->get('POST.comment');
        $current_user_id = $f3->get('SESSION.user.id');

        if(empty($comment_text)){
            $f3->set('SESSION.error', 'ticket not updated. No content');
            $f3->reroute('/ticket/' . $ticket_id);
        }

        // insert comment
        $db = $f3->get('DB');
        $db->exec(
            'INSERT INTO ticket_comments (ticket_id, comment, created_by, created_at)
            VALUES (?, ?, ?, NOW())',
            [$ticket_id, $comment_text, $current_user_id]
        );

        $f3->reroute('/ticket/' . $ticket_id);
    }

    /**
     * Delete an existing comment
     * Route: GET /tickey/@id/comment/@comment_id/delete
     */
    public function delete($f3){
        if(!$f3->exists('SESSION.user')){
            $f3->reroute('/login');
        }

        $ticket_id = (int) $f3->get('PARAMS.id');
        $comment_id = (int) $f3->get('PARAMS.comment_id');
        $current_user = $f3->get('SESSION.user');
        
        $db = $f3->get('DB');

        //optional: check if user is allowed to delete comment.
        // fetch who created the comment
        $comment_row = $db->exec(
            'SELECT created_by FROM ticket_comments WHERE id = ? AND ticket_id = ? LIMIT 1',
            [$comment_id, $ticket_id]
        );
        if(!$comment_row){
            $f3->set('SESSION.error', 'Error: Ticket comment ID not found.');
            $f3->reroute('/ticket/'.$ticket_id);
        }
        $comment_owner = $comment_row[0]['created_by'];
        // TODO: $is_admin = ()
        if($current_user['id'] !== $comment_owner){
            // no permission
            $f3->set('SESSION.error', 'You do not have permission to delete this ticket');
            $f3->reroute('/ticket/'. $ticket_id);
        }

        // Delete - addition, rather than delete, we set a delete flag
        $db->exec('UPDATE ticket_comments SET deleted = 1 WHERE id = ?', [$comment_id]);
        $f3->reroute('/ticket/' . $ticket_id);
    }

    // view comments
    public function index($f3){
        $ticket_id = (int) $f3->get('PARAMS.id');
        $db = $f3->get('DB');
        $results = $db->exec('
            SELECT c.*, u.username AS author_name
            FROM ticket_comments c
            LEFT JOIN users u ON c.created_by = u.id
            WHERE c.ticket_id = ?
            ORDER BY c.created_at DESC',
            [$ticket_id]
        );
        $comments = $results;
        $f3->set('comments', $comments);

        echo \Template::instance()->render('views/comments/view.html');
    }
}