--- issue: "001" title: "PATCH /api/disputes/:id/status has no role guard — privilege escalation" severity: critical domain: dispute labels: [security, backend, bug] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🔴 PATCH /api/disputes/:id/status has no role guard — privilege escalation **Severity:** critical **Domain:** dispute **Labels:** security, backend, bug ## Description `PATCH /api/disputes/:id/status` is mounted with only `authenticateToken` middleware — no `authorizeRoles('admin')` guard. Any authenticated buyer or seller who knows a dispute `_id` can change that dispute's status to `resolved`, `closed`, or any other value including states that release funds or trigger bans. ## Current Behavior Any authenticated user (buyer or seller) can call: ``` PATCH /api/disputes/{disputeId}/status { "status": "resolved" } ``` and receive a 200 response. The dispute status is updated in MongoDB. ## Expected Behavior Only users with `role: admin` should be permitted to change a dispute's status. Non-admin tokens should receive `403 Forbidden`. ## Reproduction Steps 1. Log in as a buyer or seller, obtain a JWT. 2. Find or create a dispute `_id`. 3. `PATCH /api/disputes/{id}/status` with `{ "status": "resolved" }` and the buyer/seller Bearer token. 4. Observe 200 and the status change in the DB. ## Affected Files - `backend/src/routes/disputeRoutes.ts` — router missing `authorizeRoles('admin')` before `updateStatus` handler - `backend/src/controllers/disputeController.ts` — `updateStatus` method ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) — Finding C16 - Related: [[ISSUE-002-dispute-resolve-no-role-guard]]