--- issue: 093 title: "Backend: addEvidence has no participant ownership check on disputes" severity: medium domain: Dispute labels: [security, backend, authorization] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: addEvidence has no participant ownership check on disputes **Severity:** medium **Domain:** Dispute **Labels:** security, backend, authorization ## Description `src/routes/disputeRoutes.ts:32` registers the `addEvidence` route with only `authenticateToken`. Any authenticated user can submit evidence to any dispute, not just the buyer/seller/admin who are participants. ## Options 1. Verify `req.user.id` is buyer or seller of the dispute before accepting evidence. 2. Allow admins plus participants only. 3. Add participant check in controller and reject otherwise. ## Recommendation Add a participant (buyer/seller/admin) check in `addEvidence` before persisting. This is an authorization-logic change. ## Affected Files - `backend/src/routes/disputeRoutes.ts:32` - `backend/src/controllers/disputeController.ts` — `addEvidence` handler ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-27