--- issue: 086 title: "Frontend: PaymentDetailsView status dropdown exposed to all users" severity: medium domain: Payment labels: [security, frontend, authorization] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend: PaymentDetailsView status dropdown exposed to all users **Severity:** medium **Domain:** Payment **Labels:** security, frontend, authorization ## Description `src/sections/payment/view/payment-details-view.tsx:312` renders a status-change dropdown without an `isAdmin` check. `PaymentDetailsCard` already gates this correctly with `isAdmin`, but the view-level dropdown bypasses that check, allowing any authenticated user to attempt a status change from the UI. ## Options 1. Wrap the status `TextField` in an `isAdmin` check mirroring `PaymentDetailsCard`. 2. Hide the control for non-admins and rely on backend role enforcement too. 3. Move status changes to an admin-only view. ## Recommendation Gate the control behind `isAdmin` (as `PaymentDetailsCard` already does) AND ensure backend enforces admin for the underlying route (see ISSUE-062). UI gating alone is insufficient. ## Affected Files - `frontend/src/sections/payment/view/payment-details-view.tsx:312` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-15 - [[ISSUE-062-backend-payment-update-routes-lack-ownership-role-guards|ISSUE-062]]