docs: activity log — backend v2.8.77 (seller delivery 403 / uuid-ObjectId seam)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
moojttaba
2026-06-04 16:01:11 +03:30
parent 824663bcaa
commit 485929509c

View File

@@ -1307,4 +1307,18 @@ delivered/confirming → 5, seller_paid/completed → 6. Removed the unreliable
---
### 2026-06-04 — backend v2.8.77 — seller can't ship: delivery 403 (uuid↔ObjectId seam)
The selected seller got HTTP 403 on PUT /marketplace/purchase-requests/:id/delivery
(«تأیید ارسال کالا») for a paid shop request. The auth compared the seller's
session id (legacy ObjectId e0527…) against the selected offer's sellerId, which a
TEMPLATE-created offer stores as a PG uuid (669c0dac…) → never equal → 403. Added a
`sameUser(a,b)` helper that resolves both ids via the user repo (accepts either
format) and compares every id form (_id/id/pgId/legacyObjectId). Applied to
updateDeliveryInfo, verifyDeliveryCode, and the delivery-code-status buyer/seller
gate. (Buyer step labels already matched the web — no change.)
**Verification:** backend tsc clean.
---
<!-- Add new entries above this line. Newest at top. -->