Fix CDR recording file handling for missing files

Ensure consistent behavior when recording files are missing:
- Clear recordingfile, playback_url, and download_url when file doesn't exist
- Use empty strings instead of null for better API consistency
- Fix test assertions to match new response structure (data.data.pagination)

Changes:
- DataStructure.php: Clear all recording fields when file_exists() fails
- test_43_cdr_security.py: Fix extract_cdr_data() calls and pagination checks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: jorikfon

src/PBXCoreREST/Lib/Cdr/DataStructure.php

@@ -78,6 +78,7 @@ public static function createFromModel($model): array
         // Add recording URLs if file exists
         // WHY: Provides secure token-based access without exposing file paths
         // Two URLs: playback (for inline streaming) and download (for file download)
+        // IMPORTANT: If file doesn't exist, clear recordingfile, playback_url, and download_url
         if (!empty($model->recordingfile) && file_exists($model->recordingfile)) {
             $token = self::generatePlaybackToken($model->id);
 
@@ -87,12 +88,17 @@ public static function createFromModel($model): array
                 $data['playback_url'] = "/pbxcore/api/v3/cdr:playback?token={$token}";
                 $data['download_url'] = "/pbxcore/api/v3/cdr:download?token={$token}";
             } else {
-                $data['playback_url'] = null;
-                $data['download_url'] = null;
+                // Token generation failed (Redis unavailable?)
+                // Keep recordingfile but clear URLs
+                $data['playback_url'] = '';
+                $data['download_url'] = '';
             }
         } else {
-            $data['playback_url'] = null;
-            $data['download_url'] = null;
+            // File doesn't exist or recordingfile is empty
+            // WHY: Consistency - if no file, all 3 fields should be empty
+            $data['recordingfile'] = '';
+            $data['playback_url'] = '';
+            $data['download_url'] = '';
         }
 
         // Apply OpenAPI schema formatting to convert types automatically

tests/api/test_43_cdr_security.py

@@ -15,6 +15,21 @@
 from datetime import datetime, timedelta
 
 
+def extract_cdr_data(response):
+    """Extract CDR data and pagination from response handling new format."""
+    data_wrapper = response.get('data', {})
+
+    if isinstance(data_wrapper, dict):
+        if 'records' in data_wrapper and 'pagination' in data_wrapper:
+            return data_wrapper['records'], data_wrapper['pagination']
+
+    # Fallback for legacy format
+    if isinstance(data_wrapper, list):
+        return data_wrapper, response.get('pagination', {})
+
+    return [], {}
+
+
 @pytest.mark.security
 class TestCDRSQLInjectionProtection:
     """
@@ -48,7 +63,8 @@ def test_sort_field_sql_injection_drop_table(self, api_client):
 
         # Critical: Table must still exist (pagination works)
         assert 'data' in data, "Response missing data field"
-        assert 'pagination' in data, \
+        data_wrapper = data['data']
+        assert 'pagination' in data_wrapper, \
             "CRITICAL: Table compromised - pagination missing"
 
         # Verify no error messages about SQL syntax
@@ -289,7 +305,7 @@ def test_auto_date_range_no_filters(self, api_client):
             f"Expected 200, got {response.status_code}"
 
         data = response.json()
-        cdr_data = data.get('data', [])
+        cdr_data, pagination = extract_cdr_data(data)
 
         # Verify returned records are recent (within auto-applied range)
         if cdr_data:
@@ -331,7 +347,7 @@ def test_limit_parameter_exceeds_maximum(self, api_client):
             f"Expected 200, got {response.status_code}"
 
         data = response.json()
-        cdr_data = data.get('data', [])
+        cdr_data, pagination = extract_cdr_data(data)
 
         # Should cap at 1000
         assert len(cdr_data) <= 1000, \
@@ -357,7 +373,7 @@ def test_negative_limit_rejected_or_defaulted(self, api_client):
         # Either reject or use safe default
         if response.status_code == 200:
             data = response.json()
-            cdr_data = data.get('data', [])
+            cdr_data, pagination = extract_cdr_data(data)
             # Should use safe default, not negative value
             assert len(cdr_data) >= 0, \
                 "Negative limit should not return negative records"
@@ -459,7 +475,8 @@ def test_order_parameter_sql_injection(self, api_client):
         data = response.json()
         # Table must still exist
         assert 'data' in data, "Response should contain data"
-        assert 'pagination' in data, \
+        data_wrapper = data['data']
+        assert 'pagination' in data_wrapper, \
             "Table should still exist (pagination present)"
 
     def test_order_parameter_valid_directions(self, api_client):
@@ -511,9 +528,14 @@ def test_large_result_set_pagination_required(self, api_client):
             f"Expected 200, got {response.status_code}"
 
         data = response.json()
-        pagination = data.get('pagination', {})
 
-        # Should have pagination
+        # API should always include pagination metadata
+        data_wrapper = data['data']
+        assert 'pagination' in data_wrapper, "Response should include pagination"
+        pagination = data_wrapper.get('pagination', {})
+        assert isinstance(pagination, dict), "Pagination should be a dictionary"
+
+        # Should have pagination metadata
         assert 'total' in pagination, "Pagination should include total"
         assert 'limit' in pagination, "Pagination should include limit"
         assert 'hasMore' in pagination, "Pagination should include hasMore"
@@ -539,7 +561,7 @@ def test_grouped_pagination_performance(self, api_client):
             f"Expected 200, got {response.status_code}"
 
         data = response.json()
-        cdr_data = data.get('data', [])
+        cdr_data, pagination = extract_cdr_data(data)
 
         # Each group should have linkedid
         for group in cdr_data[:5]:  # Check first 5 groups