From 485929509c26c4aa8ce830102c4525fbe2c33aca Mon Sep 17 00:00:00 2001 From: moojttaba Date: Thu, 4 Jun 2026 16:01:11 +0330 Subject: [PATCH] =?UTF-8?q?docs:=20activity=20log=20=E2=80=94=20backend=20?= =?UTF-8?q?v2.8.77=20(seller=20delivery=20403=20/=20uuid-ObjectId=20seam)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.8 (1M context) --- 09 - Audits/Activity Log.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/09 - Audits/Activity Log.md b/09 - Audits/Activity Log.md index 2e90ca1..07ceac3 100644 --- a/09 - Audits/Activity Log.md +++ b/09 - Audits/Activity Log.md @@ -1307,4 +1307,18 @@ delivered/confirming → 5, seller_paid/completed → 6. Removed the unreliable --- +### 2026-06-04 — backend v2.8.77 — seller can't ship: delivery 403 (uuid↔ObjectId seam) + +The selected seller got HTTP 403 on PUT /marketplace/purchase-requests/:id/delivery +(«تأیید ارسال کالا») for a paid shop request. The auth compared the seller's +session id (legacy ObjectId e0527…) against the selected offer's sellerId, which a +TEMPLATE-created offer stores as a PG uuid (669c0dac…) → never equal → 403. Added a +`sameUser(a,b)` helper that resolves both ids via the user repo (accepts either +format) and compares every id form (_id/id/pgId/legacyObjectId). Applied to +updateDeliveryInfo, verifyDeliveryCode, and the delivery-code-status buyer/seller +gate. (Buyer step labels already matched the web — no change.) +**Verification:** backend tsc clean. + +--- +