--- issue: 027 title: "confirm-delivery endpoint has no ownership check — any authenticated user can confirm delivery on any request" severity: major domain: Delivery labels: [security, bug, backend, major, authorization] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 confirm-delivery endpoint has no ownership check — any authenticated user can confirm delivery on any request **Severity:** major **Domain:** Delivery **Labels:** security, bug, backend, major, authorization ## Description marketplaceController.confirmDelivery (line 782) checks dispute gate and status === 'delivery' but does NOT verify the caller is the buyer of the request. Any authenticated user who knows a purchaseRequestId in 'delivery' status can call PATCH /confirm-delivery and advance it to 'delivered'. ## Current Behavior Sellers, admins, or any authenticated third party can call confirm-delivery and mark a request as delivered without the buyer's involvement. ## Expected Behavior confirmDelivery should verify req.user.id === purchaseRequest.buyerId before proceeding. ## Affected Files - `backend/src/controllers/marketplaceController.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)