--- issue: "002" title: "POST /api/disputes/:id/resolve has no role guard — any user can resolve disputes and ban sellers" severity: critical domain: dispute labels: [security, backend, bug] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🔴 POST /api/disputes/:id/resolve has no role guard — any user can resolve disputes and ban sellers **Severity:** critical **Domain:** dispute **Labels:** security, backend, bug ## Description The dashboard dispute router's `POST /api/disputes/:id/resolve` handler applies only `authenticateToken`. No `authorizeRoles('admin')` guard exists. Any authenticated user can post any resolution action including `action: 'ban_seller'`, `action: 'refund'`, or `action: 'no_action'`, bypassing all admin authority. Note: the *releaseHold* router's `POST /api/disputes/:purchaseRequestId/resolve` correctly uses `authorizeRoles('admin')`, but the dashboard router does not. ## Current Behavior A buyer or seller can call: ``` POST /api/disputes/{disputeId}/resolve { "action": "ban_seller", "notes": "malicious" } ``` The resolution is persisted with a 200 response. ## Expected Behavior `POST /api/disputes/:id/resolve` must be protected by `authorizeRoles('admin')`. Non-admin tokens should receive `403`. ## Affected Files - `backend/src/routes/disputeRoutes.ts` (dashboard router, mounted at `/api/disputes` first) - `backend/src/controllers/disputeController.ts` — `resolveDispute` method ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) — Finding C17 - Related: [[ISSUE-001-dispute-status-no-role-guard]], [[ISSUE-003-dispute-route-shadowing]]