--- issue: 001 title: "PATCH /api/disputes/:id/status and POST /api/disputes/:id/resolve have no role guard — privilege escalation" severity: critical domain: Dispute labels: [security, bug, backend, privilege-escalation] status: resolved resolved: 2026-05-29 fix: "Added authorizeRoles('admin') middleware to PATCH /:id/status and POST /:id/resolve in backend/src/routes/disputeRoutes.ts" created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🔴 PATCH /api/disputes/:id/status and POST /api/disputes/:id/resolve have no role guard — privilege escalation **Severity:** critical **Domain:** Dispute **Labels:** security, bug, backend, privilege-escalation ## Description Any authenticated buyer or seller can change dispute status to 'resolved', 'closed', or 'rejected', and can post a dispute resolution including action=ban_seller. Neither the dashboard updateStatus controller nor the resolveDispute controller call authorizeRoles('admin'). Only authenticateToken is applied on the router. ## Current Behavior Any authenticated user with the dispute ID can call PATCH /api/disputes/:id/status or POST /api/disputes/:id/resolve and receive 200 with the mutation applied. ## Expected Behavior Both endpoints should return 403 for non-admin users. authorizeRoles('admin') middleware should be applied at the route level. ## Affected Files - `backend/src/routes/disputeRoutes.ts` - `backend/src/controllers/disputeController.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)