--- issue: 002 title: "POST /api/disputes/:id/assign has no role guard — any user can self-assign as admin" severity: critical domain: Dispute labels: [security, bug, backend, privilege-escalation] status: resolved resolved: 2026-05-29 fix: "Added authorizeRoles('admin') middleware to POST /:id/assign in backend/src/routes/disputeRoutes.ts" created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🔴 POST /api/disputes/:id/assign has no role guard — any user can self-assign as admin **Severity:** critical **Domain:** Dispute **Labels:** security, bug, backend, privilege-escalation ## Description The POST /api/disputes/:id/assign endpoint registers only authenticateToken. Any authenticated user can assign themselves or anyone else as the admin handler for a dispute. The admin check is absent at both the middleware and controller level. ## Current Behavior Any authenticated buyer or seller can call POST /api/disputes/:id/assign and become the assigned admin for the dispute. ## Expected Behavior Return 403 for non-admin tokens. Apply authorizeRoles('admin') at the route level. ## Affected Files - `backend/src/routes/disputeRoutes.ts` - `backend/src/controllers/disputeController.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)