--- issue: "028" title: "GET /api/payment/export has no admin role guard — any authenticated user can export payment data" severity: major domain: payment labels: [security, backend, bug] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 GET /api/payment/export has no admin role guard — any authenticated user can export payment data **Severity:** major **Domain:** payment **Labels:** security, backend, bug ## Description Two parallel export endpoints exist: - `GET /api/payment/payments/export` — has `authorizeRoles('admin')` guard (correct) - `GET /api/payment/export` (controller-pattern route) — only has `authenticateToken`, **no admin guard** The frontend hits `/payment/export` (the controller-pattern route without the admin guard). Any authenticated buyer can export payment records. ## Current Behavior `GET /api/payment/export` with any valid user JWT → 200 with payment export data. ## Expected Behavior `GET /api/payment/export` should require `authorizeRoles('admin')`, or the frontend should be pointed at `/api/payment/payments/export`. ## Affected Files - Backend: controller-pattern route for `GET /payment/export` — missing `authorizeRoles('admin')` - `frontend/src/lib/axios.ts` — `endpoints.payments.export` maps to the wrong route ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) — Finding M31