diff --git a/09 - Audits/Activity Log.md b/09 - Audits/Activity Log.md index 2e90ca1..07ceac3 100644 --- a/09 - Audits/Activity Log.md +++ b/09 - Audits/Activity Log.md @@ -1307,4 +1307,18 @@ delivered/confirming → 5, seller_paid/completed → 6. Removed the unreliable --- +### 2026-06-04 — backend v2.8.77 — seller can't ship: delivery 403 (uuid↔ObjectId seam) + +The selected seller got HTTP 403 on PUT /marketplace/purchase-requests/:id/delivery +(«تأیید ارسال کالا») for a paid shop request. The auth compared the seller's +session id (legacy ObjectId e0527…) against the selected offer's sellerId, which a +TEMPLATE-created offer stores as a PG uuid (669c0dac…) → never equal → 403. Added a +`sameUser(a,b)` helper that resolves both ids via the user repo (accepts either +format) and compares every id form (_id/id/pgId/legacyObjectId). Applied to +updateDeliveryInfo, verifyDeliveryCode, and the delivery-code-status buyer/seller +gate. (Buyer step labels already matched the web — no change.) +**Verification:** backend tsc clean. + +--- +