--- issue: "020" title: "POST /api/disputes/:id/assign has no role guard — any user can self-assign as mediator" severity: major domain: dispute labels: [security, backend, bug] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 POST /api/disputes/:id/assign has no role guard — any user can self-assign as mediator **Severity:** major **Domain:** dispute **Labels:** security, backend, bug ## Description `POST /api/disputes/:id/assign` is mounted with only `authenticateToken`. Any authenticated buyer or seller can assign themselves as the mediator/admin for any open dispute. ## Current Behavior ```bash POST /api/disputes/{disputeId}/assign Authorization: Bearer { "adminId": "" } ``` Returns 200 and sets the dispute's assigned mediator to the buyer. ## Expected Behavior Should require `authorizeRoles('admin')`. Non-admin tokens should receive `403`. ## Affected Files - `backend/src/routes/disputeRoutes.ts` — missing role guard on the assign route ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) - Related: [[ISSUE-001-dispute-status-no-role-guard]], [[ISSUE-002-dispute-resolve-no-role-guard]]