--- issue: 094 title: "Backend: selectOffer does not verify buyer owns the purchase request" severity: medium domain: Marketplace labels: [security, backend, idor] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: selectOffer does not verify buyer owns the purchase request **Severity:** medium **Domain:** Marketplace **Labels:** security, backend, idor ## Description `src/services/marketplace/marketplaceController.ts:1029` handles `selectOffer` without checking that `req.user.id` matches the `purchaseRequest.buyerId`. Any authenticated user who knows the purchase request ID can select an offer on someone else's request. ## Options 1. Reject when `req.user.id !== purchaseRequest.buyerId`. 2. Allow buyer-owner or admin only. 3. Atomic `findOneAndUpdate` scoped by `buyerId`. ## Recommendation Enforce `req.user.id === purchaseRequest.buyerId` (admin override allowed). This changes who can accept offers. ## Affected Files - `backend/src/services/marketplace/marketplaceController.ts:1029` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-28