--- issue: 062 title: "Backend: payment update routes lack ownership/role guards (cluster)" severity: high domain: Payment labels: [security, backend, authorization, idor] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: payment update routes lack ownership/role guards (cluster) **Severity:** high **Domain:** Payment **Labels:** security, backend, authorization, idor ## Description `PUT /:id updatePayment`, `PATCH /marketplace/payments/:id`, and status-change routes in `paymentControllerRoutes.ts` require only `authenticateToken` — no role check, no ownership check, no status-transition whitelist. Any authenticated user can change any payment's status to any value. ## Options 1. Add an admin-role middleware to all payment status-mutating routes and a status whitelist. 2. Add ownership checks (`req.user.id === buyerId/sellerId`) plus a strict allowed-status-transition validator shared across routes. 3. Both: admin-only for arbitrary status writes; constrained self-service transitions for owners. ## Recommendation Introduce a shared `requireAdmin` middleware for arbitrary status writes and a centralized transition validator; owners may only trigger whitelisted transitions. This is a business-logic and authZ change across multiple routes. ## Affected Files - `backend/src/services/payment/paymentControllerRoutes.ts:17` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-22