--- issue: 063 title: "Backend: legacy marketplace PATCH /payments/:id lets buyer/seller set any status" severity: high domain: Payment labels: [security, backend, authorization] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: legacy marketplace PATCH /payments/:id lets buyer/seller set any status **Severity:** high **Domain:** Payment **Labels:** security, backend, authorization ## Description `backend/src/services/marketplace/routes.ts:237` registers a legacy PATCH endpoint for payment status that has no admin guard and no status whitelist. Buyers or sellers can set any status value directly. ## Options 1. Add admin role guard + status whitelist. 2. Deprecate/remove the legacy route if superseded by the new payment controller. 3. Restrict to system/internal callers only. ## Recommendation If the route is legacy and superseded by the new payment controller, remove it. Otherwise gate with admin + whitelist. Needs confirmation that it is unused before removal. ## Affected Files - `backend/src/services/marketplace/routes.ts:237` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-24