--- issue: 024 title: "GET /api/payment/stats has no admin role guard — any authenticated user can read aggregate payment stats" severity: major domain: Payment status: resolved resolved: 2026-05-29 fix: "Already guarded by authenticateToken + authorizeRoles('admin') at paymentRoutes.ts line 56. Confirmed in current code." labels: [security, bug, backend, major, privilege-escalation] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 GET /api/payment/stats has no admin role guard — any authenticated user can read aggregate payment stats **Severity:** major **Domain:** Payment **Labels:** security, bug, backend, major, privilege-escalation ## Description GET /api/payment/stats (controller-pattern route) requires only authenticateToken. The /api/payment/payments/stats route requires admin role. Frontend uses the non-admin-gated path. ## Current Behavior Any authenticated buyer can read aggregate payment platform statistics. ## Expected Behavior Stats endpoint should be admin-only or return only caller-scoped data for non-admins. ## Affected Files - `backend/src/routes/paymentRoutes.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)