--- issue: 095 title: "Backend: getUserStats has no ownership/admin check (IDOR)" severity: medium domain: Payment labels: [security, backend, idor] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: getUserStats has no ownership/admin check (IDOR) **Severity:** medium **Domain:** Payment **Labels:** security, backend, idor ## Description `paymentControllerRoutes.ts:13` serves `GET /api/payment/stats/:userId` without checking that `req.user.id === req.params.userId` or that the caller is an admin. Any authenticated user can retrieve payment statistics for any other user ID. ## Options 1. Require `req.user.id === req.params.userId`, or admin. 2. Admin-only endpoint. 3. Scope query to the authenticated user, ignore param. ## Recommendation Require self-or-admin (`req.user.id === userId || isAdmin`). ## Affected Files - `backend/src/services/payment/paymentControllerRoutes.ts:13` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-29