--- issue: 023 title: "GET /api/payment/export has no admin role guard at route level — any authenticated user can export all payment data" severity: major domain: Payment labels: [security, bug, backend, major, privilege-escalation] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 GET /api/payment/export has no admin role guard at route level — any authenticated user can export all payment data **Severity:** major **Domain:** Payment **Labels:** security, bug, backend, major, privilege-escalation ## Description GET /api/payment/export (controller-pattern route) has only authenticateToken — no admin guard at the router level. The parallel /api/payment/payments/export route has an admin role guard. The frontend hits the non-admin-gated path. Any authenticated buyer can export all payment records. ## Current Behavior Non-admin buyers can call GET /api/payment/export and receive payment export data for all users. ## Expected Behavior GET /api/payment/export should apply authorizeRoles('admin') at the route level. ## Affected Files - `backend/src/routes/paymentRoutes.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)